ssltest.c revision 1.7
1/* ssl/ssltest.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116/* ==================================================================== 117 * Copyright 2005 Nokia. All rights reserved. 118 * 119 * The portions of the attached software ("Contribution") is developed by 120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 121 * license. 122 * 123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 125 * support (see RFC 4279) to OpenSSL. 126 * 127 * No patent licenses or other rights except those expressly stated in 128 * the OpenSSL open source license shall be deemed granted or received 129 * expressly, by implication, estoppel, or otherwise. 130 * 131 * No assurances are provided by Nokia that the Contribution does not 132 * infringe the patent or other intellectual property rights of any third 133 * party or that the license provides you with all the necessary rights 134 * to make use of the Contribution. 135 * 136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 140 * OTHERWISE. 141 */ 142 143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly 144 on Linux and GNU platforms. */ 145#include <sys/types.h> 146#include <sys/param.h> 147#include <sys/socket.h> 148 149#include <netinet/in.h> 150 151#include <assert.h> 152#include <errno.h> 153#include <limits.h> 154#include <netdb.h> 155#include <stdio.h> 156#include <stdlib.h> 157#include <string.h> 158#include <time.h> 159#include <unistd.h> 160 161#include <ctype.h> 162 163#include <openssl/opensslconf.h> 164#include <openssl/e_os2.h> 165#include <openssl/bio.h> 166#include <openssl/crypto.h> 167#include <openssl/evp.h> 168#include <openssl/x509.h> 169#include <openssl/x509v3.h> 170#include <openssl/ssl.h> 171#ifndef OPENSSL_NO_ENGINE 172#include <openssl/engine.h> 173#endif 174#include <openssl/err.h> 175#include <openssl/rand.h> 176#include <openssl/rsa.h> 177#include <openssl/dsa.h> 178#include <openssl/dh.h> 179#include <openssl/bn.h> 180 181#define _XOPEN_SOURCE_EXTENDED 1 182/* Or gethostname won't be declared properly 183 on Compaq platforms (at least with DEC C). 184 Do not try to put it earlier, or IPv6 includes 185 get screwed... */ 186 187 188# define TEST_SERVER_CERT "../apps/server.pem" 189# define TEST_CLIENT_CERT "../apps/client.pem" 190 191static int verify_callback(int ok, X509_STORE_CTX *ctx); 192static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); 193static void free_tmp_rsa(void); 194static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); 195#define APP_CALLBACK_STRING "Test Callback Argument" 196struct app_verify_arg { 197 char *string; 198 int app_verify; 199 int allow_proxy_certs; 200 char *proxy_auth; 201 char *proxy_cond; 202}; 203 204static DH *get_dh512(void); 205static DH *get_dh1024(void); 206static DH *get_dh1024dsa(void); 207 208static BIO *bio_err = NULL; 209static BIO *bio_stdout = NULL; 210 211static char *cipher = NULL; 212static int verbose = 0; 213static int debug = 0; 214 215int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, clock_t *c_time); 216int doit(SSL *s_ssl, SSL *c_ssl, long bytes); 217static int do_test_cipherlist(void); 218 219static void 220sv_usage(void) 221{ 222 fprintf(stderr, "usage: ssltest [args ...]\n"); 223 fprintf(stderr, "\n"); 224 fprintf(stderr, " -server_auth - check server certificate\n"); 225 fprintf(stderr, " -client_auth - do client authentication\n"); 226 fprintf(stderr, " -proxy - allow proxy certificates\n"); 227 fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n"); 228 fprintf(stderr, " -proxy_cond <val> - experssion to test proxy policy rights\n"); 229 fprintf(stderr, " -v - more output\n"); 230 fprintf(stderr, " -d - debug output\n"); 231 fprintf(stderr, " -reuse - use session-id reuse\n"); 232 fprintf(stderr, " -num <val> - number of connections to perform\n"); 233 fprintf(stderr, " -bytes <val> - number of bytes to swap between client/server\n"); 234 fprintf(stderr, " -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); 235 fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 236 fprintf(stderr, " -no_dhe - disable DHE\n"); 237 fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); 238 fprintf(stderr, " -dtls1 - use DTLSv1\n"); 239 fprintf(stderr, " -ssl3 - use SSLv3\n"); 240 fprintf(stderr, " -tls1 - use TLSv1\n"); 241 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); 242 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); 243 fprintf(stderr, " -cert arg - Server certificate file\n"); 244 fprintf(stderr, " -key arg - Server key file (default: same as -cert)\n"); 245 fprintf(stderr, " -c_cert arg - Client certificate file\n"); 246 fprintf(stderr, " -c_key arg - Client key file (default: same as -c_cert)\n"); 247 fprintf(stderr, " -cipher arg - The cipher list\n"); 248 fprintf(stderr, " -bio_pair - Use BIO pairs\n"); 249 fprintf(stderr, " -f - Test even cases that can't work\n"); 250 fprintf(stderr, " -time - measure processor time used by client and server\n"); 251 fprintf(stderr, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 252 " Use \"openssl ecparam -list_curves\" for all names\n" \ 253 " (default is sect163r2).\n"); 254 fprintf(stderr, " -test_cipherlist - verifies the order of the ssl cipher lists\n"); 255} 256 257static void 258print_details(SSL *c_ssl, const char *prefix) 259{ 260 const SSL_CIPHER *ciph; 261 X509 *cert; 262 263 ciph = SSL_get_current_cipher(c_ssl); 264 BIO_printf(bio_stdout, "%s%s, cipher %s %s", 265 prefix, 266 SSL_get_version(c_ssl), 267 SSL_CIPHER_get_version(ciph), 268 SSL_CIPHER_get_name(ciph)); 269 cert = SSL_get_peer_certificate(c_ssl); 270 if (cert != NULL) { 271 EVP_PKEY *pkey = X509_get_pubkey(cert); 272 if (pkey != NULL) { 273 if (pkey->type == EVP_PKEY_RSA && 274 pkey->pkey.rsa != NULL && 275 pkey->pkey.rsa->n != NULL) { 276 BIO_printf(bio_stdout, ", %d bit RSA", 277 BN_num_bits(pkey->pkey.rsa->n)); 278 } 279 else if (pkey->type == EVP_PKEY_DSA && 280 pkey->pkey.dsa != NULL && 281 pkey->pkey.dsa->p != NULL) { 282 BIO_printf(bio_stdout, ", %d bit DSA", 283 BN_num_bits(pkey->pkey.dsa->p)); 284 } 285 EVP_PKEY_free(pkey); 286 } 287 X509_free(cert); 288 } 289 /* The SSL API does not allow us to look at temporary RSA/DH keys, 290 * otherwise we should print their lengths too */ 291 BIO_printf(bio_stdout, "\n"); 292} 293 294static void 295lock_dbg_cb(int mode, int type, const char *file, int line) 296{ 297 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ 298 const char *errstr = NULL; 299 int rw; 300 301 rw = mode & (CRYPTO_READ|CRYPTO_WRITE); 302 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) { 303 errstr = "invalid mode"; 304 goto err; 305 } 306 307 if (type < 0 || type >= CRYPTO_NUM_LOCKS) { 308 errstr = "type out of bounds"; 309 goto err; 310 } 311 312 if (mode & CRYPTO_LOCK) { 313 if (modes[type]) { 314 errstr = "already locked"; 315 /* must not happen in a single-threaded program 316 * (would deadlock) */ 317 goto err; 318 } 319 320 modes[type] = rw; 321 } else if (mode & CRYPTO_UNLOCK) { 322 if (!modes[type]) { 323 errstr = "not locked"; 324 goto err; 325 } 326 327 if (modes[type] != rw) { 328 errstr = (rw == CRYPTO_READ) ? 329 "CRYPTO_r_unlock on write lock" : 330 "CRYPTO_w_unlock on read lock"; 331 } 332 333 modes[type] = 0; 334 } else { 335 errstr = "invalid mode"; 336 goto err; 337 } 338 339err: 340 if (errstr) { 341 /* we cannot use bio_err here */ 342 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", 343 errstr, mode, type, file, line); 344 } 345} 346 347int 348main(int argc, char *argv[]) 349{ 350 char *CApath = NULL, *CAfile = NULL; 351 int badop = 0; 352 int bio_pair = 0; 353 int force = 0; 354 int tls1 = 0, ssl2 = 0, ssl3 = 0, dtls1 = 0, ret = 1; 355 int client_auth = 0; 356 int server_auth = 0, i; 357 struct app_verify_arg app_verify_arg = 358 { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; 359 char *server_cert = TEST_SERVER_CERT; 360 char *server_key = NULL; 361 char *client_cert = TEST_CLIENT_CERT; 362 char *client_key = NULL; 363 char *named_curve = NULL; 364 SSL_CTX *s_ctx = NULL; 365 SSL_CTX *c_ctx = NULL; 366 const SSL_METHOD *meth = NULL; 367 SSL *c_ssl, *s_ssl; 368 int number = 1, reuse = 0; 369 long bytes = 256L; 370 DH *dh; 371 int dhe1024 = 0, dhe1024dsa = 0; 372 EC_KEY *ecdh = NULL; 373 int no_dhe = 0; 374 int no_ecdhe = 0; 375 int print_time = 0; 376 clock_t s_time = 0, c_time = 0; 377 int test_cipherlist = 0; 378 379 verbose = 0; 380 debug = 0; 381 cipher = 0; 382 383 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE|BIO_FP_TEXT); 384 385 386 CRYPTO_set_locking_callback(lock_dbg_cb); 387 388 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE|BIO_FP_TEXT); 389 390 argc--; 391 argv++; 392 393 while (argc >= 1) { 394 if (!strcmp(*argv, "-F")) { 395 fprintf(stderr, "not compiled with FIPS support, so exitting without running.\n"); 396 exit(0); 397 } else if (strcmp(*argv, "-server_auth") == 0) 398 server_auth = 1; 399 else if (strcmp(*argv, "-client_auth") == 0) 400 client_auth = 1; 401 else if (strcmp(*argv, "-proxy_auth") == 0) { 402 if (--argc < 1) 403 goto bad; 404 app_verify_arg.proxy_auth= *(++argv); 405 } else if (strcmp(*argv, "-proxy_cond") == 0) { 406 if (--argc < 1) 407 goto bad; 408 app_verify_arg.proxy_cond= *(++argv); 409 } else if (strcmp(*argv, "-v") == 0) 410 verbose = 1; 411 else if (strcmp(*argv, "-d") == 0) 412 debug = 1; 413 else if (strcmp(*argv, "-reuse") == 0) 414 reuse = 1; 415 else if (strcmp(*argv, "-dhe1024") == 0) { 416 dhe1024 = 1; 417 } else if (strcmp(*argv, "-dhe1024dsa") == 0) { 418 dhe1024dsa = 1; 419 } else if (strcmp(*argv, "-no_dhe") == 0) 420 no_dhe = 1; 421 else if (strcmp(*argv, "-no_ecdhe") == 0) 422 no_ecdhe = 1; 423 else if (strcmp(*argv, "-dtls1") == 0) 424 dtls1 = 1; 425 else if (strcmp(*argv, "-ssl2") == 0) 426 ssl2 = 1; 427 else if (strcmp(*argv, "-ssl3") == 0) 428 ssl3 = 1; 429 else if (strcmp(*argv, "-tls1") == 0) 430 tls1 = 1; 431 else if (strncmp(*argv, "-num", 4) == 0) { 432 if (--argc < 1) 433 goto bad; 434 number = atoi(*(++argv)); 435 if (number == 0) 436 number = 1; 437 } else if (strcmp(*argv, "-bytes") == 0) { 438 if (--argc < 1) 439 goto bad; 440 bytes = atol(*(++argv)); 441 if (bytes == 0L) 442 bytes = 1L; 443 i = strlen(argv[0]); 444 if (argv[0][i - 1] == 'k') 445 bytes*=1024L; 446 if (argv[0][i - 1] == 'm') 447 bytes*=1024L*1024L; 448 } else if (strcmp(*argv, "-cert") == 0) { 449 if (--argc < 1) 450 goto bad; 451 server_cert= *(++argv); 452 } else if (strcmp(*argv, "-s_cert") == 0) { 453 if (--argc < 1) 454 goto bad; 455 server_cert= *(++argv); 456 } else if (strcmp(*argv, "-key") == 0) { 457 if (--argc < 1) 458 goto bad; 459 server_key= *(++argv); 460 } else if (strcmp(*argv, "-s_key") == 0) { 461 if (--argc < 1) 462 goto bad; 463 server_key= *(++argv); 464 } else if (strcmp(*argv, "-c_cert") == 0) { 465 if (--argc < 1) 466 goto bad; 467 client_cert= *(++argv); 468 } else if (strcmp(*argv, "-c_key") == 0) { 469 if (--argc < 1) 470 goto bad; 471 client_key= *(++argv); 472 } else if (strcmp(*argv, "-cipher") == 0) { 473 if (--argc < 1) 474 goto bad; 475 cipher= *(++argv); 476 } else if (strcmp(*argv, "-CApath") == 0) { 477 if (--argc < 1) 478 goto bad; 479 CApath= *(++argv); 480 } else if (strcmp(*argv, "-CAfile") == 0) { 481 if (--argc < 1) 482 goto bad; 483 CAfile= *(++argv); 484 } else if (strcmp(*argv, "-bio_pair") == 0) { 485 bio_pair = 1; 486 } else if (strcmp(*argv, "-f") == 0) { 487 force = 1; 488 } else if (strcmp(*argv, "-time") == 0) { 489 print_time = 1; 490 } else if (strcmp(*argv, "-named_curve") == 0) { 491 if (--argc < 1) 492 goto bad; 493 named_curve = *(++argv); 494 } else if (strcmp(*argv, "-app_verify") == 0) { 495 app_verify_arg.app_verify = 1; 496 } else if (strcmp(*argv, "-proxy") == 0) { 497 app_verify_arg.allow_proxy_certs = 1; 498 } else if (strcmp(*argv, "-test_cipherlist") == 0) { 499 test_cipherlist = 1; 500 } else { 501 fprintf(stderr, "unknown option %s\n", *argv); 502 badop = 1; 503 break; 504 } 505 argc--; 506 argv++; 507 } 508 if (badop) { 509bad: 510 sv_usage(); 511 goto end; 512 } 513 514 if (test_cipherlist == 1) { 515 /* ensure that the cipher list are correctly sorted and exit */ 516 if (do_test_cipherlist() == 0) 517 exit(1); 518 ret = 0; 519 goto end; 520 } 521 522 if (!dtls1 && !ssl2 && !ssl3 && !tls1 && 523 number > 1 && !reuse && !force) { 524 fprintf(stderr, 525 "This case cannot work. Use -f to perform " 526 "the test anyway (and\n-d to see what happens), " 527 "or add one of -dtls1, -ssl2, -ssl3, -tls1, -reuse\n" 528 "to avoid protocol mismatch.\n"); 529 exit(1); 530 } 531 532 if (print_time) { 533 if (!bio_pair) { 534 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 535 bio_pair = 1; 536 } 537 if (number < 50 && !force) 538 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 539 } 540 541/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ 542 543 SSL_library_init(); 544 SSL_load_error_strings(); 545 546 547 if (dtls1) 548 meth = DTLSv1_method(); 549 else if (tls1) 550 meth = TLSv1_method(); 551 else if (ssl3) 552 meth = SSLv3_method(); 553 else 554 meth = SSLv23_method(); 555 556 c_ctx = SSL_CTX_new(meth); 557 s_ctx = SSL_CTX_new(meth); 558 if ((c_ctx == NULL) || (s_ctx == NULL)) { 559 ERR_print_errors(bio_err); 560 goto end; 561 } 562 563 if (cipher != NULL) { 564 SSL_CTX_set_cipher_list(c_ctx, cipher); 565 SSL_CTX_set_cipher_list(s_ctx, cipher); 566 } 567 568 if (!no_dhe) { 569 if (dhe1024dsa) { 570 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ 571 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 572 dh = get_dh1024dsa(); 573 } else if (dhe1024) 574 dh = get_dh1024(); 575 else 576 dh = get_dh512(); 577 SSL_CTX_set_tmp_dh(s_ctx, dh); 578 DH_free(dh); 579 } 580 581 if (!no_ecdhe) { 582 int nid; 583 584 if (named_curve != NULL) { 585 nid = OBJ_sn2nid(named_curve); 586 if (nid == 0) { 587 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); 588 goto end; 589 } 590 } else 591#ifdef OPENSSL_NO_EC2M 592 nid = NID_X9_62_prime256v1; 593#else 594 nid = NID_sect163r2; 595#endif 596 597 ecdh = EC_KEY_new_by_curve_name(nid); 598 if (ecdh == NULL) { 599 BIO_printf(bio_err, "unable to create curve\n"); 600 goto end; 601 } 602 603 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); 604 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); 605 EC_KEY_free(ecdh); 606 } 607 608 SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); 609 610 if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { 611 ERR_print_errors(bio_err); 612 } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, 613 (server_key ? server_key : server_cert), SSL_FILETYPE_PEM)) { 614 ERR_print_errors(bio_err); 615 goto end; 616 } 617 618 if (client_auth) { 619 SSL_CTX_use_certificate_file(c_ctx, client_cert, 620 SSL_FILETYPE_PEM); 621 SSL_CTX_use_PrivateKey_file(c_ctx, 622 (client_key ? client_key : client_cert), 623 SSL_FILETYPE_PEM); 624 } 625 626 if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || 627 (!SSL_CTX_set_default_verify_paths(s_ctx)) || 628 (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || 629 (!SSL_CTX_set_default_verify_paths(c_ctx))) { 630 /* fprintf(stderr,"SSL_load_verify_locations\n"); */ 631 ERR_print_errors(bio_err); 632 /* goto end; */ 633 } 634 635 if (client_auth) { 636 BIO_printf(bio_err, "client authentication\n"); 637 SSL_CTX_set_verify(s_ctx, 638 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 639 verify_callback); 640 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); 641 } 642 if (server_auth) { 643 BIO_printf(bio_err, "server authentication\n"); 644 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, 645 verify_callback); 646 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); 647 } 648 649 { 650 int session_id_context = 0; 651 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); 652 } 653 654 c_ssl = SSL_new(c_ctx); 655 s_ssl = SSL_new(s_ctx); 656 657 for (i = 0; i < number; i++) { 658 if (!reuse) 659 SSL_set_session(c_ssl, NULL); 660 if (bio_pair) 661 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time); 662 else 663 ret = doit(s_ssl, c_ssl, bytes); 664 } 665 666 if (!verbose) { 667 print_details(c_ssl, ""); 668 } 669 if ((number > 1) || (bytes > 1L)) 670 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", number, bytes); 671 if (print_time) { 672#ifdef CLOCKS_PER_SEC 673 /* "To determine the time in seconds, the value returned 674 * by the clock function should be divided by the value 675 * of the macro CLOCKS_PER_SEC." 676 * -- ISO/IEC 9899 */ 677 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 678 "Approximate total client time: %6.2f s\n", 679 (double)s_time/CLOCKS_PER_SEC, 680 (double)c_time/CLOCKS_PER_SEC); 681#else 682 /* "`CLOCKS_PER_SEC' undeclared (first use this function)" 683 * -- cc on NeXTstep/OpenStep */ 684 BIO_printf(bio_stdout, 685 "Approximate total server time: %6.2f units\n" 686 "Approximate total client time: %6.2f units\n", 687 (double)s_time, 688 (double)c_time); 689#endif 690 } 691 692 SSL_free(s_ssl); 693 SSL_free(c_ssl); 694 695end: 696 if (s_ctx != NULL) 697 SSL_CTX_free(s_ctx); 698 if (c_ctx != NULL) 699 SSL_CTX_free(c_ctx); 700 701 if (bio_stdout != NULL) 702 BIO_free(bio_stdout); 703 704 free_tmp_rsa(); 705#ifndef OPENSSL_NO_ENGINE 706 ENGINE_cleanup(); 707#endif 708 CRYPTO_cleanup_all_ex_data(); 709 ERR_free_strings(); 710 ERR_remove_thread_state(NULL); 711 EVP_cleanup(); 712 CRYPTO_mem_leaks(bio_err); 713 if (bio_err != NULL) 714 BIO_free(bio_err); 715 exit(ret); 716 return ret; 717} 718 719int 720doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, clock_t *s_time, 721 clock_t *c_time) 722{ 723 long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 724 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 725 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 726 int ret = 1; 727 728 size_t bufsiz = 256; /* small buffer for testing */ 729 730 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 731 goto err; 732 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 733 goto err; 734 735 s_ssl_bio = BIO_new(BIO_f_ssl()); 736 if (!s_ssl_bio) 737 goto err; 738 739 c_ssl_bio = BIO_new(BIO_f_ssl()); 740 if (!c_ssl_bio) 741 goto err; 742 743 SSL_set_connect_state(c_ssl); 744 SSL_set_bio(c_ssl, client, client); 745 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 746 747 SSL_set_accept_state(s_ssl); 748 SSL_set_bio(s_ssl, server, server); 749 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 750 751 do { 752 /* c_ssl_bio: SSL filter BIO 753 * 754 * client: pseudo-I/O for SSL library 755 * 756 * client_io: client's SSL communication; usually to be 757 * relayed over some I/O facility, but in this 758 * test program, we're the server, too: 759 * 760 * server_io: server's SSL communication 761 * 762 * server: pseudo-I/O for SSL library 763 * 764 * s_ssl_bio: SSL filter BIO 765 * 766 * The client and the server each employ a "BIO pair": 767 * client + client_io, server + server_io. 768 * BIO pairs are symmetric. A BIO pair behaves similar 769 * to a non-blocking socketpair (but both endpoints must 770 * be handled by the same thread). 771 * [Here we could connect client and server to the ends 772 * of a single BIO pair, but then this code would be less 773 * suitable as an example for BIO pairs in general.] 774 * 775 * Useful functions for querying the state of BIO pair endpoints: 776 * 777 * BIO_ctrl_pending(bio) number of bytes we can read now 778 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil 779 * other side's read attempt 780 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 781 * 782 * ..._read_request is never more than ..._write_guarantee; 783 * it depends on the application which one you should use. 784 */ 785 786 /* We have non-blocking behaviour throughout this test program, but 787 * can be sure that there is *some* progress in each iteration; so 788 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE 789 * -- we just try everything in each iteration 790 */ 791 792 { 793 /* CLIENT */ 794 795 char cbuf[1024*8]; 796 int i, r; 797 clock_t c_clock = clock(); 798 799 memset(cbuf, 0, sizeof(cbuf)); 800 801 if (debug) 802 if (SSL_in_init(c_ssl)) 803 printf("client waiting in SSL_connect - %s\n", 804 SSL_state_string_long(c_ssl)); 805 806 if (cw_num > 0) { 807 /* Write to server. */ 808 809 if (cw_num > (long)sizeof cbuf) 810 i = sizeof cbuf; 811 else 812 i = (int)cw_num; 813 r = BIO_write(c_ssl_bio, cbuf, i); 814 if (r < 0) { 815 if (!BIO_should_retry(c_ssl_bio)) { 816 fprintf(stderr, "ERROR in CLIENT\n"); 817 goto err; 818 } 819 /* BIO_should_retry(...) can just be ignored here. 820 * The library expects us to call BIO_write with 821 * the same arguments again, and that's what we will 822 * do in the next iteration. */ 823 } else if (r == 0) { 824 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 825 goto err; 826 } else { 827 if (debug) 828 printf("client wrote %d\n", r); 829 cw_num -= r; 830 831 } 832 } 833 834 if (cr_num > 0) { 835 /* Read from server. */ 836 837 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 838 if (r < 0) { 839 if (!BIO_should_retry(c_ssl_bio)) { 840 fprintf(stderr, "ERROR in CLIENT\n"); 841 goto err; 842 } 843 /* Again, "BIO_should_retry" can be ignored. */ 844 } else if (r == 0) { 845 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 846 goto err; 847 } else { 848 if (debug) 849 printf("client read %d\n", r); 850 cr_num -= r; 851 } 852 } 853 854 /* c_time and s_time increments will typically be very small 855 * (depending on machine speed and clock tick intervals), 856 * but sampling over a large number of connections should 857 * result in fairly accurate figures. We cannot guarantee 858 * a lot, however -- if each connection lasts for exactly 859 * one clock tick, it will be counted only for the client 860 * or only for the server or even not at all. 861 */ 862 *c_time += (clock() - c_clock); 863 } 864 865 { 866 /* SERVER */ 867 868 char sbuf[1024*8]; 869 int i, r; 870 clock_t s_clock = clock(); 871 872 memset(sbuf, 0, sizeof(sbuf)); 873 874 if (debug) 875 if (SSL_in_init(s_ssl)) 876 printf("server waiting in SSL_accept - %s\n", 877 SSL_state_string_long(s_ssl)); 878 879 if (sw_num > 0) { 880 /* Write to client. */ 881 882 if (sw_num > (long)sizeof sbuf) 883 i = sizeof sbuf; 884 else 885 i = (int)sw_num; 886 r = BIO_write(s_ssl_bio, sbuf, i); 887 if (r < 0) { 888 if (!BIO_should_retry(s_ssl_bio)) { 889 fprintf(stderr, "ERROR in SERVER\n"); 890 goto err; 891 } 892 /* Ignore "BIO_should_retry". */ 893 } else if (r == 0) { 894 fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 895 goto err; 896 } else { 897 if (debug) 898 printf("server wrote %d\n", r); 899 sw_num -= r; 900 901 } 902 } 903 904 if (sr_num > 0) { 905 /* Read from client. */ 906 907 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 908 if (r < 0) { 909 if (!BIO_should_retry(s_ssl_bio)) { 910 fprintf(stderr, "ERROR in SERVER\n"); 911 goto err; 912 } 913 /* blah, blah */ 914 } else if (r == 0) { 915 fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 916 goto err; 917 } else { 918 if (debug) 919 printf("server read %d\n", r); 920 sr_num -= r; 921 } 922 } 923 924 *s_time += (clock() - s_clock); 925 } 926 927 { 928 /* "I/O" BETWEEN CLIENT AND SERVER. */ 929 930 size_t r1, r2; 931 BIO *io1 = server_io, *io2 = client_io; 932 /* we use the non-copying interface for io1 933 * and the standard BIO_write/BIO_read interface for io2 934 */ 935 936 static int prev_progress = 1; 937 int progress = 0; 938 939 /* io1 to io2 */ 940 do 941 { 942 size_t num; 943 int r; 944 945 r1 = BIO_ctrl_pending(io1); 946 r2 = BIO_ctrl_get_write_guarantee(io2); 947 948 num = r1; 949 if (r2 < num) 950 num = r2; 951 if (num) { 952 char *dataptr; 953 954 if (INT_MAX < num) /* yeah, right */ 955 num = INT_MAX; 956 957 r = BIO_nread(io1, &dataptr, (int)num); 958 assert(r > 0); 959 assert(r <= (int)num); 960 /* possibly r < num (non-contiguous data) */ 961 num = r; 962 r = BIO_write(io2, dataptr, (int)num); 963 if (r != (int)num) /* can't happen */ 964 { 965 fprintf(stderr, "ERROR: BIO_write could not write " 966 "BIO_ctrl_get_write_guarantee() bytes"); 967 goto err; 968 } 969 progress = 1; 970 971 if (debug) 972 printf((io1 == client_io) ? 973 "C->S relaying: %d bytes\n" : 974 "S->C relaying: %d bytes\n", 975 (int)num); 976 } 977 } while (r1 && r2); 978 979 /* io2 to io1 */ 980 { 981 size_t num; 982 int r; 983 984 r1 = BIO_ctrl_pending(io2); 985 r2 = BIO_ctrl_get_read_request(io1); 986 /* here we could use ..._get_write_guarantee instead of 987 * ..._get_read_request, but by using the latter 988 * we test restartability of the SSL implementation 989 * more thoroughly */ 990 num = r1; 991 if (r2 < num) 992 num = r2; 993 if (num) { 994 char *dataptr; 995 996 if (INT_MAX < num) 997 num = INT_MAX; 998 999 if (num > 1) 1000 --num; /* test restartability even more thoroughly */ 1001 1002 r = BIO_nwrite0(io1, &dataptr); 1003 assert(r > 0); 1004 if (r < (int)num) 1005 num = r; 1006 r = BIO_read(io2, dataptr, (int)num); 1007 if (r != (int)num) /* can't happen */ 1008 { 1009 fprintf(stderr, "ERROR: BIO_read could not read " 1010 "BIO_ctrl_pending() bytes"); 1011 goto err; 1012 } 1013 progress = 1; 1014 r = BIO_nwrite(io1, &dataptr, (int)num); 1015 if (r != (int)num) /* can't happen */ 1016 { 1017 fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 1018 "BIO_nwrite0() bytes"); 1019 goto err; 1020 } 1021 1022 if (debug) 1023 printf((io2 == client_io) ? 1024 "C->S relaying: %d bytes\n" : 1025 "S->C relaying: %d bytes\n", 1026 (int)num); 1027 } 1028 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ 1029 1030 if (!progress && !prev_progress) 1031 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) { 1032 fprintf(stderr, "ERROR: got stuck\n"); 1033 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) { 1034 fprintf(stderr, "This can happen for SSL2 because " 1035 "CLIENT-FINISHED and SERVER-VERIFY are written \n" 1036 "concurrently ..."); 1037 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 1038 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) { 1039 fprintf(stderr, " ok.\n"); 1040 goto end; 1041 } 1042 } 1043 fprintf(stderr, " ERROR.\n"); 1044 goto err; 1045 } 1046 prev_progress = progress; 1047 } 1048 } while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 1049 1050 if (verbose) 1051 print_details(c_ssl, "DONE via BIO pair: "); 1052end: 1053 ret = 0; 1054 1055 err: 1056 ERR_print_errors(bio_err); 1057 1058 if (server) 1059 BIO_free(server); 1060 if (server_io) 1061 BIO_free(server_io); 1062 if (client) 1063 BIO_free(client); 1064 if (client_io) 1065 BIO_free(client_io); 1066 if (s_ssl_bio) 1067 BIO_free(s_ssl_bio); 1068 if (c_ssl_bio) 1069 BIO_free(c_ssl_bio); 1070 1071 return ret; 1072} 1073 1074 1075#define W_READ 1 1076#define W_WRITE 2 1077#define C_DONE 1 1078#define S_DONE 2 1079 1080int 1081doit(SSL *s_ssl, SSL *c_ssl, long count) 1082{ 1083 char cbuf[1024*8], sbuf[1024*8]; 1084 long cw_num = count, cr_num = count; 1085 long sw_num = count, sr_num = count; 1086 int ret = 1; 1087 BIO *c_to_s = NULL; 1088 BIO *s_to_c = NULL; 1089 BIO *c_bio = NULL; 1090 BIO *s_bio = NULL; 1091 int c_r, c_w, s_r, s_w; 1092 int i, j; 1093 int done = 0; 1094 int c_write, s_write; 1095 int do_server = 0, do_client = 0; 1096 1097 memset(cbuf, 0, sizeof(cbuf)); 1098 memset(sbuf, 0, sizeof(sbuf)); 1099 1100 c_to_s = BIO_new(BIO_s_mem()); 1101 s_to_c = BIO_new(BIO_s_mem()); 1102 if ((s_to_c == NULL) || (c_to_s == NULL)) { 1103 ERR_print_errors(bio_err); 1104 goto err; 1105 } 1106 1107 c_bio = BIO_new(BIO_f_ssl()); 1108 s_bio = BIO_new(BIO_f_ssl()); 1109 if ((c_bio == NULL) || (s_bio == NULL)) { 1110 ERR_print_errors(bio_err); 1111 goto err; 1112 } 1113 1114 SSL_set_connect_state(c_ssl); 1115 SSL_set_bio(c_ssl, s_to_c, c_to_s); 1116 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); 1117 1118 SSL_set_accept_state(s_ssl); 1119 SSL_set_bio(s_ssl, c_to_s, s_to_c); 1120 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); 1121 1122 c_r = 0; 1123 s_r = 1; 1124 c_w = 1; 1125 s_w = 0; 1126 c_write = 1, s_write = 0; 1127 1128 /* We can always do writes */ 1129 for (;;) { 1130 do_server = 0; 1131 do_client = 0; 1132 1133 i = (int)BIO_pending(s_bio); 1134 if ((i && s_r) || s_w) 1135 do_server = 1; 1136 1137 i = (int)BIO_pending(c_bio); 1138 if ((i && c_r) || c_w) 1139 do_client = 1; 1140 1141 if (do_server && debug) { 1142 if (SSL_in_init(s_ssl)) 1143 printf("server waiting in SSL_accept - %s\n", 1144 SSL_state_string_long(s_ssl)); 1145/* else if (s_write) 1146 printf("server:SSL_write()\n"); 1147 else 1148 printf("server:SSL_read()\n"); */ 1149 } 1150 1151 if (do_client && debug) { 1152 if (SSL_in_init(c_ssl)) 1153 printf("client waiting in SSL_connect - %s\n", 1154 SSL_state_string_long(c_ssl)); 1155/* else if (c_write) 1156 printf("client:SSL_write()\n"); 1157 else 1158 printf("client:SSL_read()\n"); */ 1159 } 1160 1161 if (!do_client && !do_server) { 1162 fprintf(stdout, "ERROR IN STARTUP\n"); 1163 ERR_print_errors(bio_err); 1164 break; 1165 } 1166 if (do_client && !(done & C_DONE)) { 1167 if (c_write) { 1168 j = (cw_num > (long)sizeof(cbuf)) ? 1169 (int)sizeof(cbuf) : (int)cw_num; 1170 i = BIO_write(c_bio, cbuf, j); 1171 if (i < 0) { 1172 c_r = 0; 1173 c_w = 0; 1174 if (BIO_should_retry(c_bio)) { 1175 if (BIO_should_read(c_bio)) 1176 c_r = 1; 1177 if (BIO_should_write(c_bio)) 1178 c_w = 1; 1179 } else { 1180 fprintf(stderr, "ERROR in CLIENT\n"); 1181 ERR_print_errors(bio_err); 1182 goto err; 1183 } 1184 } else if (i == 0) { 1185 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 1186 goto err; 1187 } else { 1188 if (debug) 1189 printf("client wrote %d\n", i); 1190 /* ok */ 1191 s_r = 1; 1192 c_write = 0; 1193 cw_num -= i; 1194 } 1195 } else { 1196 i = BIO_read(c_bio, cbuf, sizeof(cbuf)); 1197 if (i < 0) { 1198 c_r = 0; 1199 c_w = 0; 1200 if (BIO_should_retry(c_bio)) { 1201 if (BIO_should_read(c_bio)) 1202 c_r = 1; 1203 if (BIO_should_write(c_bio)) 1204 c_w = 1; 1205 } else { 1206 fprintf(stderr, "ERROR in CLIENT\n"); 1207 ERR_print_errors(bio_err); 1208 goto err; 1209 } 1210 } else if (i == 0) { 1211 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 1212 goto err; 1213 } else { 1214 if (debug) 1215 printf("client read %d\n", i); 1216 cr_num -= i; 1217 if (sw_num > 0) { 1218 s_write = 1; 1219 s_w = 1; 1220 } 1221 if (cr_num <= 0) { 1222 s_write = 1; 1223 s_w = 1; 1224 done = S_DONE|C_DONE; 1225 } 1226 } 1227 } 1228 } 1229 1230 if (do_server && !(done & S_DONE)) { 1231 if (!s_write) { 1232 i = BIO_read(s_bio, sbuf, sizeof(cbuf)); 1233 if (i < 0) { 1234 s_r = 0; 1235 s_w = 0; 1236 if (BIO_should_retry(s_bio)) { 1237 if (BIO_should_read(s_bio)) 1238 s_r = 1; 1239 if (BIO_should_write(s_bio)) 1240 s_w = 1; 1241 } else { 1242 fprintf(stderr, "ERROR in SERVER\n"); 1243 ERR_print_errors(bio_err); 1244 goto err; 1245 } 1246 } else if (i == 0) { 1247 ERR_print_errors(bio_err); 1248 fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_read\n"); 1249 goto err; 1250 } else { 1251 if (debug) 1252 printf("server read %d\n", i); 1253 sr_num -= i; 1254 if (cw_num > 0) { 1255 c_write = 1; 1256 c_w = 1; 1257 } 1258 if (sr_num <= 0) { 1259 s_write = 1; 1260 s_w = 1; 1261 c_write = 0; 1262 } 1263 } 1264 } else { 1265 j = (sw_num > (long)sizeof(sbuf)) ? 1266 (int)sizeof(sbuf) : (int)sw_num; 1267 i = BIO_write(s_bio, sbuf, j); 1268 if (i < 0) { 1269 s_r = 0; 1270 s_w = 0; 1271 if (BIO_should_retry(s_bio)) { 1272 if (BIO_should_read(s_bio)) 1273 s_r = 1; 1274 if (BIO_should_write(s_bio)) 1275 s_w = 1; 1276 } else { 1277 fprintf(stderr, "ERROR in SERVER\n"); 1278 ERR_print_errors(bio_err); 1279 goto err; 1280 } 1281 } else if (i == 0) { 1282 ERR_print_errors(bio_err); 1283 fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_write\n"); 1284 goto err; 1285 } else { 1286 if (debug) 1287 printf("server wrote %d\n", i); 1288 sw_num -= i; 1289 s_write = 0; 1290 c_r = 1; 1291 if (sw_num <= 0) 1292 done|=S_DONE; 1293 } 1294 } 1295 } 1296 1297 if ((done & S_DONE) 1298 && (done & C_DONE)) break; 1299 } 1300 1301 if (verbose) 1302 print_details(c_ssl, "DONE: "); 1303 ret = 0; 1304err: 1305 /* We have to set the BIO's to NULL otherwise they will be 1306 * free()ed twice. Once when th s_ssl is SSL_free()ed and 1307 * again when c_ssl is SSL_free()ed. 1308 * This is a hack required because s_ssl and c_ssl are sharing the same 1309 * BIO structure and SSL_set_bio() and SSL_free() automatically 1310 * BIO_free non NULL entries. 1311 * You should not normally do this or be required to do this */ 1312 if (s_ssl != NULL) { 1313 s_ssl->rbio = NULL; 1314 s_ssl->wbio = NULL; 1315 } 1316 if (c_ssl != NULL) { 1317 c_ssl->rbio = NULL; 1318 c_ssl->wbio = NULL; 1319 } 1320 1321 if (c_to_s != NULL) 1322 BIO_free(c_to_s); 1323 if (s_to_c != NULL) 1324 BIO_free(s_to_c); 1325 if (c_bio != NULL) 1326 BIO_free_all(c_bio); 1327 if (s_bio != NULL) 1328 BIO_free_all(s_bio); 1329 return (ret); 1330} 1331 1332static int 1333get_proxy_auth_ex_data_idx(void) 1334{ 1335 static volatile int idx = -1; 1336 if (idx < 0) { 1337 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 1338 if (idx < 0) { 1339 idx = X509_STORE_CTX_get_ex_new_index(0, 1340 "SSLtest for verify callback", NULL, NULL, NULL); 1341 } 1342 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 1343 } 1344 return idx; 1345} 1346 1347static int 1348verify_callback(int ok, X509_STORE_CTX *ctx) 1349{ 1350 char *s, buf[256]; 1351 1352 s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, 1353 sizeof buf); 1354 if (s != NULL) { 1355 if (ok) 1356 fprintf(stderr, "depth=%d %s\n", 1357 ctx->error_depth, buf); 1358 else { 1359 fprintf(stderr, "depth=%d error=%d %s\n", 1360 ctx->error_depth, ctx->error, buf); 1361 } 1362 } 1363 1364 if (ok == 0) { 1365 fprintf(stderr, "Error string: %s\n", 1366 X509_verify_cert_error_string(ctx->error)); 1367 switch (ctx->error) { 1368 case X509_V_ERR_CERT_NOT_YET_VALID: 1369 case X509_V_ERR_CERT_HAS_EXPIRED: 1370 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 1371 fprintf(stderr, " ... ignored.\n"); 1372 ok = 1; 1373 } 1374 } 1375 1376 if (ok == 1) { 1377 X509 *xs = ctx->current_cert; 1378#if 0 1379 X509 *xi = ctx->current_issuer; 1380#endif 1381 1382 if (xs->ex_flags & EXFLAG_PROXY) { 1383 unsigned int *letters = 1384 X509_STORE_CTX_get_ex_data(ctx, 1385 get_proxy_auth_ex_data_idx()); 1386 1387 if (letters) { 1388 int found_any = 0; 1389 int i; 1390 PROXY_CERT_INFO_EXTENSION *pci = 1391 X509_get_ext_d2i(xs, NID_proxyCertInfo, 1392 NULL, NULL); 1393 1394 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) { 1395 case NID_Independent: 1396 /* Completely meaningless in this 1397 program, as there's no way to 1398 grant explicit rights to a 1399 specific PrC. Basically, using 1400 id-ppl-Independent is the perfect 1401 way to grant no rights at all. */ 1402 fprintf(stderr, " Independent proxy certificate"); 1403 for (i = 0; i < 26; i++) 1404 letters[i] = 0; 1405 break; 1406 case NID_id_ppl_inheritAll: 1407 /* This is basically a NOP, we 1408 simply let the current rights 1409 stand as they are. */ 1410 fprintf(stderr, " Proxy certificate inherits all"); 1411 break; 1412 default: 1413 s = (char *) 1414 pci->proxyPolicy->policy->data; 1415 i = pci->proxyPolicy->policy->length; 1416 1417 /* The algorithm works as follows: 1418 it is assumed that previous 1419 iterations or the initial granted 1420 rights has already set some elements 1421 of `letters'. What we need to do is 1422 to clear those that weren't granted 1423 by the current PrC as well. The 1424 easiest way to do this is to add 1 1425 to all the elements whose letters 1426 are given with the current policy. 1427 That way, all elements that are set 1428 by the current policy and were 1429 already set by earlier policies and 1430 through the original grant of rights 1431 will get the value 2 or higher. 1432 The last thing to do is to sweep 1433 through `letters' and keep the 1434 elements having the value 2 as set, 1435 and clear all the others. */ 1436 1437 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); 1438 while (i-- > 0) { 1439 int c = *s++; 1440 if (isascii(c) && isalpha(c)) { 1441 if (islower(c)) 1442 c = toupper(c); 1443 letters[c - 'A']++; 1444 } 1445 } 1446 for (i = 0; i < 26; i++) 1447 if (letters[i] < 2) 1448 letters[i] = 0; 1449 else 1450 letters[i] = 1; 1451 } 1452 1453 found_any = 0; 1454 fprintf(stderr, ", resulting proxy rights = "); 1455 for (i = 0; i < 26; i++) 1456 if (letters[i]) { 1457 fprintf(stderr, "%c", i + 'A'); 1458 found_any = 1; 1459 } 1460 if (!found_any) 1461 fprintf(stderr, "none"); 1462 fprintf(stderr, "\n"); 1463 1464 PROXY_CERT_INFO_EXTENSION_free(pci); 1465 } 1466 } 1467 } 1468 1469 return (ok); 1470} 1471 1472static void 1473process_proxy_debug(int indent, const char *format, ...) 1474{ 1475 static const char indentation[] = 1476 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 1477 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ 1478 char my_format[256]; 1479 va_list args; 1480 1481 (void) snprintf(my_format, sizeof(my_format), "%*.*s %s", 1482 indent, indent, indentation, format); 1483 1484 va_start(args, format); 1485 vfprintf(stderr, my_format, args); 1486 va_end(args); 1487} 1488/* Priority levels: 1489 0 [!]var, () 1490 1 & ^ 1491 2 | 1492*/ 1493static int process_proxy_cond_adders(unsigned int letters[26], 1494 const char *cond, const char **cond_end, int *pos, int indent); 1495 1496static int 1497process_proxy_cond_val(unsigned int letters[26], const char *cond, 1498 const char **cond_end, int *pos, int indent) 1499{ 1500 int c; 1501 int ok = 1; 1502 int negate = 0; 1503 1504 while (isspace((int)*cond)) { 1505 cond++; 1506 (*pos)++; 1507 } 1508 c = *cond; 1509 1510 if (debug) 1511 process_proxy_debug(indent, 1512 "Start process_proxy_cond_val at position %d: %s\n", 1513 *pos, cond); 1514 1515 while (c == '!') { 1516 negate = !negate; 1517 cond++; 1518 (*pos)++; 1519 while (isspace((int)*cond)) { 1520 cond++; 1521 (*pos)++; 1522 } 1523 c = *cond; 1524 } 1525 1526 if (c == '(') { 1527 cond++; 1528 (*pos)++; 1529 ok = process_proxy_cond_adders(letters, cond, cond_end, pos, 1530 indent + 1); 1531 cond = *cond_end; 1532 if (ok < 0) 1533 goto end; 1534 while (isspace((int)*cond)) { 1535 cond++; 1536 (*pos)++; 1537 } 1538 c = *cond; 1539 if (c != ')') { 1540 fprintf(stderr, 1541 "Weird condition character in position %d: " 1542 "%c\n", *pos, c); 1543 ok = -1; 1544 goto end; 1545 } 1546 cond++; 1547 (*pos)++; 1548 } else if (isascii(c) && isalpha(c)) { 1549 if (islower(c)) 1550 c = toupper(c); 1551 ok = letters[c - 'A']; 1552 cond++; 1553 (*pos)++; 1554 } else { 1555 fprintf(stderr, 1556 "Weird condition character in position %d: " 1557 "%c\n", *pos, c); 1558 ok = -1; 1559 goto end; 1560 } 1561 end: 1562 *cond_end = cond; 1563 if (ok >= 0 && negate) 1564 ok = !ok; 1565 1566 if (debug) 1567 process_proxy_debug(indent, 1568 "End process_proxy_cond_val at position %d: %s, returning %d\n", 1569 *pos, cond, ok); 1570 1571 return ok; 1572} 1573 1574static int 1575process_proxy_cond_multipliers(unsigned int letters[26], const char *cond, 1576 const char **cond_end, int *pos, int indent) 1577{ 1578 int ok; 1579 char c; 1580 1581 if (debug) 1582 process_proxy_debug(indent, 1583 "Start process_proxy_cond_multipliers at position %d: %s\n", 1584 *pos, cond); 1585 1586 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); 1587 cond = *cond_end; 1588 if (ok < 0) 1589 goto end; 1590 1591 while (ok >= 0) { 1592 while (isspace((int)*cond)) { 1593 cond++; 1594 (*pos)++; 1595 } 1596 c = *cond; 1597 1598 switch (c) { 1599 case '&': 1600 case '^': 1601 { 1602 int save_ok = ok; 1603 1604 cond++; 1605 (*pos)++; 1606 ok = process_proxy_cond_val(letters, 1607 cond, cond_end, pos, indent + 1); 1608 cond = *cond_end; 1609 if (ok < 0) 1610 break; 1611 1612 switch (c) { 1613 case '&': 1614 ok &= save_ok; 1615 break; 1616 case '^': 1617 ok ^= save_ok; 1618 break; 1619 default: 1620 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1621 " STOPPING\n"); 1622 exit(1); 1623 } 1624 } 1625 break; 1626 default: 1627 goto end; 1628 } 1629 } 1630 end: 1631 if (debug) 1632 process_proxy_debug(indent, 1633 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", 1634 *pos, cond, ok); 1635 1636 *cond_end = cond; 1637 return ok; 1638} 1639 1640static int 1641process_proxy_cond_adders(unsigned int letters[26], const char *cond, 1642 const char **cond_end, int *pos, int indent) 1643{ 1644 int ok; 1645 char c; 1646 1647 if (debug) 1648 process_proxy_debug(indent, 1649 "Start process_proxy_cond_adders at position %d: %s\n", 1650 *pos, cond); 1651 1652 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, 1653 indent + 1); 1654 cond = *cond_end; 1655 if (ok < 0) 1656 goto end; 1657 1658 while (ok >= 0) { 1659 while (isspace((int)*cond)) { 1660 cond++; 1661 (*pos)++; 1662 } 1663 c = *cond; 1664 1665 switch (c) { 1666 case '|': 1667 { 1668 int save_ok = ok; 1669 1670 cond++; 1671 (*pos)++; 1672 ok = process_proxy_cond_multipliers(letters, 1673 cond, cond_end, pos, indent + 1); 1674 cond = *cond_end; 1675 if (ok < 0) 1676 break; 1677 1678 switch (c) { 1679 case '|': 1680 ok |= save_ok; 1681 break; 1682 default: 1683 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1684 " STOPPING\n"); 1685 exit(1); 1686 } 1687 } 1688 break; 1689 default: 1690 goto end; 1691 } 1692 } 1693 end: 1694 if (debug) 1695 process_proxy_debug(indent, 1696 "End process_proxy_cond_adders at position %d: %s, returning %d\n", 1697 *pos, cond, ok); 1698 1699 *cond_end = cond; 1700 return ok; 1701} 1702 1703static int 1704process_proxy_cond(unsigned int letters[26], const char *cond, 1705 const char **cond_end) 1706{ 1707 int pos = 1; 1708 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); 1709} 1710 1711static int 1712app_verify_callback(X509_STORE_CTX *ctx, void *arg) 1713{ 1714 int ok = 1; 1715 struct app_verify_arg *cb_arg = arg; 1716 unsigned int letters[26]; /* only used with proxy_auth */ 1717 1718 if (cb_arg->app_verify) { 1719 char *s = NULL, buf[256]; 1720 1721 fprintf(stderr, "In app_verify_callback, allowing cert. "); 1722 fprintf(stderr, "Arg is: %s\n", cb_arg->string); 1723 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", 1724 (void *)ctx, (void *)ctx->cert); 1725 if (ctx->cert) 1726 s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256); 1727 if (s != NULL) { 1728 fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf); 1729 } 1730 return (1); 1731 } 1732 if (cb_arg->proxy_auth) { 1733 int found_any = 0, i; 1734 char *sp; 1735 1736 for (i = 0; i < 26; i++) 1737 letters[i] = 0; 1738 for (sp = cb_arg->proxy_auth; *sp; sp++) { 1739 int c = *sp; 1740 if (isascii(c) && isalpha(c)) { 1741 if (islower(c)) 1742 c = toupper(c); 1743 letters[c - 'A'] = 1; 1744 } 1745 } 1746 1747 fprintf(stderr, " Initial proxy rights = "); 1748 for (i = 0; i < 26; i++) 1749 if (letters[i]) { 1750 fprintf(stderr, "%c", i + 'A'); 1751 found_any = 1; 1752 } 1753 if (!found_any) 1754 fprintf(stderr, "none"); 1755 fprintf(stderr, "\n"); 1756 1757 X509_STORE_CTX_set_ex_data(ctx, 1758 get_proxy_auth_ex_data_idx(), letters); 1759 } 1760 if (cb_arg->allow_proxy_certs) { 1761 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); 1762 } 1763 1764 ok = X509_verify_cert(ctx); 1765 1766 if (cb_arg->proxy_auth) { 1767 if (ok > 0) { 1768 const char *cond_end = NULL; 1769 1770 ok = process_proxy_cond(letters, 1771 cb_arg->proxy_cond, &cond_end); 1772 1773 if (ok < 0) 1774 exit(3); 1775 if (*cond_end) { 1776 fprintf(stderr, "Stopped processing condition before it's end.\n"); 1777 ok = 0; 1778 } 1779 if (!ok) 1780 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", 1781 cb_arg->proxy_cond); 1782 else 1783 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", 1784 cb_arg->proxy_cond); 1785 } 1786 } 1787 return (ok); 1788} 1789 1790static RSA *rsa_tmp = NULL; 1791 1792static RSA * 1793tmp_rsa_cb(SSL *s, int is_export, int keylength) 1794{ 1795 BIGNUM *bn = NULL; 1796 if (rsa_tmp == NULL) { 1797 bn = BN_new(); 1798 rsa_tmp = RSA_new(); 1799 if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) { 1800 BIO_printf(bio_err, "Memory error..."); 1801 goto end; 1802 } 1803 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength); 1804 (void)BIO_flush(bio_err); 1805 if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) { 1806 BIO_printf(bio_err, "Error generating key."); 1807 RSA_free(rsa_tmp); 1808 rsa_tmp = NULL; 1809 } 1810end: 1811 BIO_printf(bio_err, "\n"); 1812 (void)BIO_flush(bio_err); 1813 } 1814 if (bn) 1815 BN_free(bn); 1816 return (rsa_tmp); 1817} 1818 1819static void 1820free_tmp_rsa(void) 1821{ 1822 if (rsa_tmp != NULL) { 1823 RSA_free(rsa_tmp); 1824 rsa_tmp = NULL; 1825 } 1826} 1827 1828/* These DH parameters have been generated as follows: 1829 * $ openssl dhparam -C -noout 512 1830 * $ openssl dhparam -C -noout 1024 1831 * $ openssl dhparam -C -noout -dsaparam 1024 1832 * (The third function has been renamed to avoid name conflicts.) 1833 */ 1834static DH * 1835get_dh512() 1836{ 1837 static unsigned char dh512_p[] = { 1838 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0, 0xC6, 1839 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04, 0xB0, 1840 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9, 0x5F, 1841 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33, 0xB8, 1842 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21, 0x33, 1843 0x02, 0xC5, 0xAE, 0x23, 1844 }; 1845 static unsigned char dh512_g[] = { 1846 0x02, 1847 }; 1848 DH *dh; 1849 1850 if ((dh = DH_new()) == NULL) return (NULL); 1851 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); 1852 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); 1853 if ((dh->p == NULL) || (dh->g == NULL)) { 1854 DH_free(dh); 1855 return (NULL); 1856 } 1857 return (dh); 1858} 1859 1860static DH * 1861get_dh1024() 1862{ 1863 static unsigned char dh1024_p[] = { 1864 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF, 0x3A, 1865 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56, 0xA2, 1866 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F, 0xB0, 1867 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87, 0xC2, 1868 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0, 0x8C, 1869 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F, 0xB8, 1870 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D, 0x52, 1871 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC, 0xC1, 1872 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB, 0xB1, 1873 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89, 0xAB, 1874 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53, 1875 }; 1876 static unsigned char dh1024_g[] = { 1877 0x02, 1878 }; 1879 DH *dh; 1880 1881 if ((dh = DH_new()) == NULL) return (NULL); 1882 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); 1883 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); 1884 if ((dh->p == NULL) || (dh->g == NULL)) { 1885 DH_free(dh); 1886 return (NULL); 1887 } 1888 return (dh); 1889} 1890 1891static DH * 1892get_dh1024dsa() 1893{ 1894 static unsigned char dh1024_p[] = { 1895 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5, 0x00, 1896 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87, 0x19, 1897 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65, 0xD2, 1898 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6, 0x55, 1899 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF, 0xFC, 1900 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52, 0x97, 1901 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28, 0x8D, 1902 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD, 0xBB, 1903 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C, 0xF6, 1904 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26, 0x9E, 1905 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39, 1906 }; 1907 static unsigned char dh1024_g[] = { 1908 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80, 0x05, 1909 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03, 0xF3, 1910 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A, 0xE9, 1911 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85, 0x3C, 1912 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B, 0x65, 1913 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF, 0x60, 1914 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E, 0xF6, 1915 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB, 0xA7, 1916 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72, 0xA1, 1917 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E, 0x60, 1918 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2, 1919 }; 1920 DH *dh; 1921 1922 if ((dh = DH_new()) == NULL) return (NULL); 1923 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); 1924 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); 1925 if ((dh->p == NULL) || (dh->g == NULL)) { 1926 DH_free(dh); 1927 return (NULL); 1928 } 1929 dh->length = 160; 1930 return (dh); 1931} 1932 1933static int 1934do_test_cipherlist(void) 1935{ 1936 int i = 0; 1937 const SSL_METHOD *meth; 1938 const SSL_CIPHER *ci, *tci = NULL; 1939 1940 fprintf(stderr, "testing SSLv3 cipher list order: "); 1941 meth = SSLv3_method(); 1942 tci = NULL; 1943 while ((ci = meth->get_cipher(i++)) != NULL) { 1944 if (tci != NULL) 1945 if (ci->id >= tci->id) { 1946 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 1947 return 0; 1948 } 1949 tci = ci; 1950 } 1951 fprintf(stderr, "ok\n"); 1952 fprintf(stderr, "testing TLSv1 cipher list order: "); 1953 meth = TLSv1_method(); 1954 tci = NULL; 1955 while ((ci = meth->get_cipher(i++)) != NULL) { 1956 if (tci != NULL) 1957 if (ci->id >= tci->id) { 1958 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 1959 return 0; 1960 } 1961 tci = ci; 1962 } 1963 fprintf(stderr, "ok\n"); 1964 1965 return 1; 1966} 1967