OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
ssltest.c
Go to the documentation of this file.
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young ([email protected])
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young ([email protected]).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to. The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson ([email protected]).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  * notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  * notice, this list of conditions and the following disclaimer in the
30  * documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  * must display the following acknowledgement:
33  * "This product includes cryptographic software written by
34  * Eric Young ([email protected])"
35  * The word 'cryptographic' can be left out if the rouines from the library
36  * being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  * the apps directory (application code) you must include an acknowledgement:
39  * "This product includes software written by Tim Hudson ([email protected])"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed. i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  * notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  * notice, this list of conditions and the following disclaimer in
70  * the documentation and/or other materials provided with the
71  * distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  * software must display the following acknowledgment:
75  * "This product includes software developed by the OpenSSL Project
76  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  * endorse or promote products derived from this software without
80  * prior written permission. For written permission, please contact
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  * nor may "OpenSSL" appear in their names without prior written
85  * permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  * acknowledgment:
89  * "This product includes software developed by the OpenSSL Project
90  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * ([email protected]). This product includes software written by Tim
108  * Hudson ([email protected]).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116 /* ====================================================================
117  * Copyright 2005 Nokia. All rights reserved.
118  *
119  * The portions of the attached software ("Contribution") is developed by
120  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121  * license.
122  *
123  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125  * support (see RFC 4279) to OpenSSL.
126  *
127  * No patent licenses or other rights except those expressly stated in
128  * the OpenSSL open source license shall be deemed granted or received
129  * expressly, by implication, estoppel, or otherwise.
130  *
131  * No assurances are provided by Nokia that the Contribution does not
132  * infringe the patent or other intellectual property rights of any third
133  * party or that the license provides you with all the necessary rights
134  * to make use of the Contribution.
135  *
136  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140  * OTHERWISE.
141  */
142 
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144  on Linux and GNU platforms. */
145 
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
154 #define USE_SOCKETS
155 #include "e_os.h"
156 
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159  VMS (at least with DECompHP C). */
160 #endif
161 
162 #include <ctype.h>
163 
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #ifndef OPENSSL_NO_SRP
185 #include <openssl/srp.h>
186 #endif
187 #include <openssl/bn.h>
189 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
190  on Compaq platforms (at least with DEC C).
191  Do not try to put it earlier, or IPv6 includes
192  get screwed...
193  */
194 
195 #ifdef OPENSSL_SYS_WINDOWS
196 #include <winsock.h>
197 #else
198 #include OPENSSL_UNISTD
199 #endif
200 
201 #ifdef OPENSSL_SYS_VMS
202 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
204 #elif defined(OPENSSL_SYS_WINCE)
205 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
207 #elif defined(OPENSSL_SYS_NETWARE)
208 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
210 #else
211 # define TEST_SERVER_CERT "../apps/server.pem"
212 # define TEST_CLIENT_CERT "../apps/client.pem"
213 #endif
214 
215 /* There is really no standard for this, so let's assign some tentative
216  numbers. In any case, these numbers are only for this test */
217 #define COMP_RLE 255
218 #define COMP_ZLIB 1
219 
220 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
221 #ifndef OPENSSL_NO_RSA
222 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
223 static void free_tmp_rsa(void);
224 #endif
225 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
226 #define APP_CALLBACK_STRING "Test Callback Argument"
227 struct app_verify_arg
228  {
229  char *string;
230  int app_verify;
231  int allow_proxy_certs;
232  char *proxy_auth;
233  char *proxy_cond;
234  };
235 
236 #ifndef OPENSSL_NO_DH
237 static DH *get_dh512(void);
238 static DH *get_dh1024(void);
239 static DH *get_dh1024dsa(void);
240 #endif
241 
242 
243 static char *psk_key=NULL; /* by default PSK is not used */
244 #ifndef OPENSSL_NO_PSK
245 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
246  unsigned int max_identity_len, unsigned char *psk,
247  unsigned int max_psk_len);
248 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249  unsigned int max_psk_len);
250 #endif
251 
252 #ifndef OPENSSL_NO_SRP
253 /* SRP client */
254 /* This is a context that we pass to all callbacks */
255 typedef struct srp_client_arg_st
256  {
257  char *srppassin;
258  char *srplogin;
259  } SRP_CLIENT_ARG;
260 
261 #define PWD_STRLEN 1024
262 
263 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
264  {
265  SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266  return BUF_strdup((char *)srp_client_arg->srppassin);
267  }
268 
269 /* SRP server */
270 /* This is a context that we pass to SRP server callbacks */
271 typedef struct srp_server_arg_st
272  {
273  char *expected_user;
274  char *pass;
275  } SRP_SERVER_ARG;
276 
277 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
278  {
279  SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280 
281  if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282  {
283  fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284  return SSL3_AL_FATAL;
285  }
286  if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287  {
288  *ad = SSL_AD_INTERNAL_ERROR;
289  return SSL3_AL_FATAL;
290  }
291  return SSL_ERROR_NONE;
292  }
293 #endif
294 
295 static BIO *bio_err=NULL;
296 static BIO *bio_stdout=NULL;
297 
298 static char *cipher=NULL;
299 static int verbose=0;
300 static int debug=0;
301 #if 0
302 /* Not used yet. */
303 #ifdef FIONBIO
304 static int s_nbio=0;
305 #endif
306 #endif
307 
308 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
309 
310 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
311 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
312 static int do_test_cipherlist(void);
313 static void sv_usage(void)
314  {
315  fprintf(stderr,"usage: ssltest [args ...]\n");
316  fprintf(stderr,"\n");
317 #ifdef OPENSSL_FIPS
318  fprintf(stderr,"-F - run test in FIPS mode\n");
319 #endif
320  fprintf(stderr," -server_auth - check server certificate\n");
321  fprintf(stderr," -client_auth - do client authentication\n");
322  fprintf(stderr," -proxy - allow proxy certificates\n");
323  fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
324  fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
325  fprintf(stderr," -v - more output\n");
326  fprintf(stderr," -d - debug output\n");
327  fprintf(stderr," -reuse - use session-id reuse\n");
328  fprintf(stderr," -num <val> - number of connections to perform\n");
329  fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
330 #ifndef OPENSSL_NO_DH
331  fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
332  fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
333  fprintf(stderr," -no_dhe - disable DHE\n");
334 #endif
335 #ifndef OPENSSL_NO_ECDH
336  fprintf(stderr," -no_ecdhe - disable ECDHE\n");
337 #endif
338 #ifndef OPENSSL_NO_PSK
339  fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
340 #endif
341 #ifndef OPENSSL_NO_SRP
342  fprintf(stderr," -srpuser user - SRP username to use\n");
343  fprintf(stderr," -srppass arg - password for 'user'\n");
344 #endif
345 #ifndef OPENSSL_NO_SSL2
346  fprintf(stderr," -ssl2 - use SSLv2\n");
347 #endif
348 #ifndef OPENSSL_NO_SSL3
349  fprintf(stderr," -ssl3 - use SSLv3\n");
350 #endif
351 #ifndef OPENSSL_NO_TLS1
352  fprintf(stderr," -tls1 - use TLSv1\n");
353 #endif
354  fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
355  fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
356  fprintf(stderr," -cert arg - Server certificate file\n");
357  fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
358  fprintf(stderr," -c_cert arg - Client certificate file\n");
359  fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
360  fprintf(stderr," -cipher arg - The cipher list\n");
361  fprintf(stderr," -bio_pair - Use BIO pairs\n");
362  fprintf(stderr," -f - Test even cases that can't work\n");
363  fprintf(stderr," -time - measure processor time used by client and server\n");
364  fprintf(stderr," -zlib - use zlib compression\n");
365  fprintf(stderr," -rle - use rle compression\n");
366 #ifndef OPENSSL_NO_ECDH
367  fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
368  " Use \"openssl ecparam -list_curves\" for all names\n" \
369  " (default is sect163r2).\n");
370 #endif
371  fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
372  }
373 
374 static void print_details(SSL *c_ssl, const char *prefix)
375  {
376  const SSL_CIPHER *ciph;
377  X509 *cert;
378 
379  ciph=SSL_get_current_cipher(c_ssl);
380  BIO_printf(bio_stdout,"%s%s, cipher %s %s",
381  prefix,
382  SSL_get_version(c_ssl),
384  SSL_CIPHER_get_name(ciph));
385  cert=SSL_get_peer_certificate(c_ssl);
386  if (cert != NULL)
387  {
388  EVP_PKEY *pkey = X509_get_pubkey(cert);
389  if (pkey != NULL)
390  {
391  if (0)
392  ;
393 #ifndef OPENSSL_NO_RSA
394  else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
395  && pkey->pkey.rsa->n != NULL)
396  {
397  BIO_printf(bio_stdout, ", %d bit RSA",
398  BN_num_bits(pkey->pkey.rsa->n));
399  }
400 #endif
401 #ifndef OPENSSL_NO_DSA
402  else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
403  && pkey->pkey.dsa->p != NULL)
404  {
405  BIO_printf(bio_stdout, ", %d bit DSA",
406  BN_num_bits(pkey->pkey.dsa->p));
407  }
408 #endif
409  EVP_PKEY_free(pkey);
410  }
411  X509_free(cert);
412  }
413  /* The SSL API does not allow us to look at temporary RSA/DH keys,
414  * otherwise we should print their lengths too */
415  BIO_printf(bio_stdout,"\n");
416  }
417 
418 static void lock_dbg_cb(int mode, int type, const char *file, int line)
419  {
420  static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
421  const char *errstr = NULL;
422  int rw;
423 
424  rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
425  if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
426  {
427  errstr = "invalid mode";
428  goto err;
429  }
430 
431  if (type < 0 || type >= CRYPTO_NUM_LOCKS)
432  {
433  errstr = "type out of bounds";
434  goto err;
435  }
436 
437  if (mode & CRYPTO_LOCK)
438  {
439  if (modes[type])
440  {
441  errstr = "already locked";
442  /* must not happen in a single-threaded program
443  * (would deadlock) */
444  goto err;
445  }
446 
447  modes[type] = rw;
448  }
449  else if (mode & CRYPTO_UNLOCK)
450  {
451  if (!modes[type])
452  {
453  errstr = "not locked";
454  goto err;
455  }
456 
457  if (modes[type] != rw)
458  {
459  errstr = (rw == CRYPTO_READ) ?
460  "CRYPTO_r_unlock on write lock" :
461  "CRYPTO_w_unlock on read lock";
462  }
463 
464  modes[type] = 0;
465  }
466  else
467  {
468  errstr = "invalid mode";
469  goto err;
470  }
471 
472  err:
473  if (errstr)
474  {
475  /* we cannot use bio_err here */
476  fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
477  errstr, mode, type, file, line);
478  }
479  }
480 
481 #ifdef TLSEXT_TYPE_opaque_prf_input
482 struct cb_info_st { void *input; size_t len; int ret; };
483 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
484 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
485 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
486 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
487 
488 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
489  {
490  struct cb_info_st *arg = arg_;
491 
492  if (arg == NULL)
493  return 1;
494 
495  if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
496  return 0;
497  return arg->ret;
498  }
499 #endif
500 
501 int main(int argc, char *argv[])
502  {
503  char *CApath=NULL,*CAfile=NULL;
504  int badop=0;
505  int bio_pair=0;
506  int force=0;
507  int tls1=0,ssl2=0,ssl3=0,ret=1;
508  int client_auth=0;
509  int server_auth=0,i;
510  struct app_verify_arg app_verify_arg =
511  { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
512  char *server_cert=TEST_SERVER_CERT;
513  char *server_key=NULL;
514  char *client_cert=TEST_CLIENT_CERT;
515  char *client_key=NULL;
516 #ifndef OPENSSL_NO_ECDH
517  char *named_curve = NULL;
518 #endif
519  SSL_CTX *s_ctx=NULL;
520  SSL_CTX *c_ctx=NULL;
521  const SSL_METHOD *meth=NULL;
522  SSL *c_ssl,*s_ssl;
523  int number=1,reuse=0;
524  long bytes=256L;
525 #ifndef OPENSSL_NO_DH
526  DH *dh;
527  int dhe1024 = 0, dhe1024dsa = 0;
528 #endif
529 #ifndef OPENSSL_NO_ECDH
530  EC_KEY *ecdh = NULL;
531 #endif
532 #ifndef OPENSSL_NO_SRP
533  /* client */
534  SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
535  /* server */
536  SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
537 #endif
538  int no_dhe = 0;
539  int no_ecdhe = 0;
540  int no_psk = 0;
541  int print_time = 0;
542  clock_t s_time = 0, c_time = 0;
543  int comp = 0;
544 #ifndef OPENSSL_NO_COMP
545  COMP_METHOD *cm = NULL;
546 #endif
547  STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
548  int test_cipherlist = 0;
549 #ifdef OPENSSL_FIPS
550  int fips_mode=0;
551 #endif
552 
553  verbose = 0;
554  debug = 0;
555  cipher = 0;
556 
557  bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
558 
559  CRYPTO_set_locking_callback(lock_dbg_cb);
560 
561  /* enable memory leak checking unless explicitly disabled */
562  if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
563  {
566  }
567  else
568  {
569  /* OPENSSL_DEBUG_MEMORY=off */
570  CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
571  }
573 
574  RAND_seed(rnd_seed, sizeof rnd_seed);
575 
576  bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
577 
578  argc--;
579  argv++;
580 
581  while (argc >= 1)
582  {
583  if(!strcmp(*argv,"-F"))
584  {
585 #ifdef OPENSSL_FIPS
586  fips_mode=1;
587 #else
588  fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
589  EXIT(0);
590 #endif
591  }
592  else if (strcmp(*argv,"-server_auth") == 0)
593  server_auth=1;
594  else if (strcmp(*argv,"-client_auth") == 0)
595  client_auth=1;
596  else if (strcmp(*argv,"-proxy_auth") == 0)
597  {
598  if (--argc < 1) goto bad;
599  app_verify_arg.proxy_auth= *(++argv);
600  }
601  else if (strcmp(*argv,"-proxy_cond") == 0)
602  {
603  if (--argc < 1) goto bad;
604  app_verify_arg.proxy_cond= *(++argv);
605  }
606  else if (strcmp(*argv,"-v") == 0)
607  verbose=1;
608  else if (strcmp(*argv,"-d") == 0)
609  debug=1;
610  else if (strcmp(*argv,"-reuse") == 0)
611  reuse=1;
612  else if (strcmp(*argv,"-dhe1024") == 0)
613  {
614 #ifndef OPENSSL_NO_DH
615  dhe1024=1;
616 #else
617  fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
618 #endif
619  }
620  else if (strcmp(*argv,"-dhe1024dsa") == 0)
621  {
622 #ifndef OPENSSL_NO_DH
623  dhe1024dsa=1;
624 #else
625  fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
626 #endif
627  }
628  else if (strcmp(*argv,"-no_dhe") == 0)
629  no_dhe=1;
630  else if (strcmp(*argv,"-no_ecdhe") == 0)
631  no_ecdhe=1;
632  else if (strcmp(*argv,"-psk") == 0)
633  {
634  if (--argc < 1) goto bad;
635  psk_key=*(++argv);
636 #ifndef OPENSSL_NO_PSK
637  if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
638  {
639  BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
640  goto bad;
641  }
642 #else
643  no_psk=1;
644 #endif
645  }
646 #ifndef OPENSSL_NO_SRP
647  else if (strcmp(*argv,"-srpuser") == 0)
648  {
649  if (--argc < 1) goto bad;
650  srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
651  tls1=1;
652  }
653  else if (strcmp(*argv,"-srppass") == 0)
654  {
655  if (--argc < 1) goto bad;
656  srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
657  tls1=1;
658  }
659 #endif
660  else if (strcmp(*argv,"-ssl2") == 0)
661  ssl2=1;
662  else if (strcmp(*argv,"-tls1") == 0)
663  tls1=1;
664  else if (strcmp(*argv,"-ssl3") == 0)
665  ssl3=1;
666  else if (strncmp(*argv,"-num",4) == 0)
667  {
668  if (--argc < 1) goto bad;
669  number= atoi(*(++argv));
670  if (number == 0) number=1;
671  }
672  else if (strcmp(*argv,"-bytes") == 0)
673  {
674  if (--argc < 1) goto bad;
675  bytes= atol(*(++argv));
676  if (bytes == 0L) bytes=1L;
677  i=strlen(argv[0]);
678  if (argv[0][i-1] == 'k') bytes*=1024L;
679  if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
680  }
681  else if (strcmp(*argv,"-cert") == 0)
682  {
683  if (--argc < 1) goto bad;
684  server_cert= *(++argv);
685  }
686  else if (strcmp(*argv,"-s_cert") == 0)
687  {
688  if (--argc < 1) goto bad;
689  server_cert= *(++argv);
690  }
691  else if (strcmp(*argv,"-key") == 0)
692  {
693  if (--argc < 1) goto bad;
694  server_key= *(++argv);
695  }
696  else if (strcmp(*argv,"-s_key") == 0)
697  {
698  if (--argc < 1) goto bad;
699  server_key= *(++argv);
700  }
701  else if (strcmp(*argv,"-c_cert") == 0)
702  {
703  if (--argc < 1) goto bad;
704  client_cert= *(++argv);
705  }
706  else if (strcmp(*argv,"-c_key") == 0)
707  {
708  if (--argc < 1) goto bad;
709  client_key= *(++argv);
710  }
711  else if (strcmp(*argv,"-cipher") == 0)
712  {
713  if (--argc < 1) goto bad;
714  cipher= *(++argv);
715  }
716  else if (strcmp(*argv,"-CApath") == 0)
717  {
718  if (--argc < 1) goto bad;
719  CApath= *(++argv);
720  }
721  else if (strcmp(*argv,"-CAfile") == 0)
722  {
723  if (--argc < 1) goto bad;
724  CAfile= *(++argv);
725  }
726  else if (strcmp(*argv,"-bio_pair") == 0)
727  {
728  bio_pair = 1;
729  }
730  else if (strcmp(*argv,"-f") == 0)
731  {
732  force = 1;
733  }
734  else if (strcmp(*argv,"-time") == 0)
735  {
736  print_time = 1;
737  }
738  else if (strcmp(*argv,"-zlib") == 0)
739  {
740  comp = COMP_ZLIB;
741  }
742  else if (strcmp(*argv,"-rle") == 0)
743  {
744  comp = COMP_RLE;
745  }
746  else if (strcmp(*argv,"-named_curve") == 0)
747  {
748  if (--argc < 1) goto bad;
749 #ifndef OPENSSL_NO_ECDH
750  named_curve = *(++argv);
751 #else
752  fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
753  ++argv;
754 #endif
755  }
756  else if (strcmp(*argv,"-app_verify") == 0)
757  {
758  app_verify_arg.app_verify = 1;
759  }
760  else if (strcmp(*argv,"-proxy") == 0)
761  {
762  app_verify_arg.allow_proxy_certs = 1;
763  }
764  else if (strcmp(*argv,"-test_cipherlist") == 0)
765  {
766  test_cipherlist = 1;
767  }
768  else
769  {
770  fprintf(stderr,"unknown option %s\n",*argv);
771  badop=1;
772  break;
773  }
774  argc--;
775  argv++;
776  }
777  if (badop)
778  {
779 bad:
780  sv_usage();
781  goto end;
782  }
783 
784  if (test_cipherlist == 1)
785  {
786  /* ensure that the cipher list are correctly sorted and exit */
787  if (do_test_cipherlist() == 0)
788  EXIT(1);
789  ret = 0;
790  goto end;
791  }
792 
793  if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
794  {
795  fprintf(stderr, "This case cannot work. Use -f to perform "
796  "the test anyway (and\n-d to see what happens), "
797  "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
798  "to avoid protocol mismatch.\n");
799  EXIT(1);
800  }
801 
802 #ifdef OPENSSL_FIPS
803  if(fips_mode)
804  {
805  if(!FIPS_mode_set(1))
806  {
809  EXIT(1);
810  }
811  else
812  fprintf(stderr,"*** IN FIPS MODE ***\n");
813  }
814 #endif
815 
816  if (print_time)
817  {
818  if (!bio_pair)
819  {
820  fprintf(stderr, "Using BIO pair (-bio_pair)\n");
821  bio_pair = 1;
822  }
823  if (number < 50 && !force)
824  fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
825  }
826 
827 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
828 
831 
832 #ifndef OPENSSL_NO_COMP
833  if (comp == COMP_ZLIB) cm = COMP_zlib();
834  if (comp == COMP_RLE) cm = COMP_rle();
835  if (cm != NULL)
836  {
837  if (cm->type != NID_undef)
838  {
839  if (SSL_COMP_add_compression_method(comp, cm) != 0)
840  {
841  fprintf(stderr,
842  "Failed to add compression method\n");
843  ERR_print_errors_fp(stderr);
844  }
845  }
846  else
847  {
848  fprintf(stderr,
849  "Warning: %s compression not supported\n",
850  (comp == COMP_RLE ? "rle" :
851  (comp == COMP_ZLIB ? "zlib" :
852  "unknown")));
853  ERR_print_errors_fp(stderr);
854  }
855  }
856  ssl_comp_methods = SSL_COMP_get_compression_methods();
857  fprintf(stderr, "Available compression methods:\n");
858  {
859  int j, n = sk_SSL_COMP_num(ssl_comp_methods);
860  if (n == 0)
861  fprintf(stderr, " NONE\n");
862  else
863  for (j = 0; j < n; j++)
864  {
865  SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
866  fprintf(stderr, " %d: %s\n", c->id, c->name);
867  }
868  }
869 #endif
870 
871 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
872  if (ssl2)
873  meth=SSLv2_method();
874  else
875  if (tls1)
876  meth=TLSv1_method();
877  else
878  if (ssl3)
879  meth=SSLv3_method();
880  else
881  meth=SSLv23_method();
882 #else
883 #ifdef OPENSSL_NO_SSL2
884  meth=SSLv3_method();
885 #else
886  meth=SSLv2_method();
887 #endif
888 #endif
889 
890  c_ctx=SSL_CTX_new(meth);
891  s_ctx=SSL_CTX_new(meth);
892  if ((c_ctx == NULL) || (s_ctx == NULL))
893  {
894  ERR_print_errors(bio_err);
895  goto end;
896  }
897 
898  if (cipher != NULL)
899  {
900  SSL_CTX_set_cipher_list(c_ctx,cipher);
901  SSL_CTX_set_cipher_list(s_ctx,cipher);
902  }
903 
904 #ifndef OPENSSL_NO_DH
905  if (!no_dhe)
906  {
907  if (dhe1024dsa)
908  {
909  /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
911  dh=get_dh1024dsa();
912  }
913  else if (dhe1024)
914  dh=get_dh1024();
915  else
916  dh=get_dh512();
917  SSL_CTX_set_tmp_dh(s_ctx,dh);
918  DH_free(dh);
919  }
920 #else
921  (void)no_dhe;
922 #endif
923 
924 #ifndef OPENSSL_NO_ECDH
925  if (!no_ecdhe)
926  {
927  int nid;
928 
929  if (named_curve != NULL)
930  {
931  nid = OBJ_sn2nid(named_curve);
932  if (nid == 0)
933  {
934  BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
935  goto end;
936  }
937  }
938  else
939 #ifdef OPENSSL_NO_EC2M
940  nid = NID_X9_62_prime256v1;
941 #else
942  nid = NID_sect163r2;
943 #endif
944 
945  ecdh = EC_KEY_new_by_curve_name(nid);
946  if (ecdh == NULL)
947  {
948  BIO_printf(bio_err, "unable to create curve\n");
949  goto end;
950  }
951 
952  SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
954  EC_KEY_free(ecdh);
955  }
956 #else
957  (void)no_ecdhe;
958 #endif
959 
960 #ifndef OPENSSL_NO_RSA
961  SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
962 #endif
963 
964 #ifdef TLSEXT_TYPE_opaque_prf_input
965  SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
966  SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
967  SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
968  SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
969 #endif
970 
971  if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
972  {
973  ERR_print_errors(bio_err);
974  }
975  else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
976  (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
977  {
978  ERR_print_errors(bio_err);
979  goto end;
980  }
981 
982  if (client_auth)
983  {
984  SSL_CTX_use_certificate_file(c_ctx,client_cert,
987  (client_key?client_key:client_cert),
989  }
990 
991  if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
993  (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
995  {
996  /* fprintf(stderr,"SSL_load_verify_locations\n"); */
997  ERR_print_errors(bio_err);
998  /* goto end; */
999  }
1000 
1001  if (client_auth)
1002  {
1003  BIO_printf(bio_err,"client authentication\n");
1004  SSL_CTX_set_verify(s_ctx,
1006  verify_callback);
1007  SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1008  }
1009  if (server_auth)
1010  {
1011  BIO_printf(bio_err,"server authentication\n");
1013  verify_callback);
1014  SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1015  }
1016 
1017  {
1018  int session_id_context = 0;
1019  SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1020  }
1021 
1022  /* Use PSK only if PSK key is given */
1023  if (psk_key != NULL)
1024  {
1025  /* no_psk is used to avoid putting psk command to openssl tool */
1026  if (no_psk)
1027  {
1028  /* if PSK is not compiled in and psk key is
1029  * given, do nothing and exit successfully */
1030  ret=0;
1031  goto end;
1032  }
1033 #ifndef OPENSSL_NO_PSK
1034  SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1035  SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1036  if (debug)
1037  BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1038  if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1039  {
1040  BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1041  ERR_print_errors(bio_err);
1042  goto end;
1043  }
1044 #endif
1045  }
1046 #ifndef OPENSSL_NO_SRP
1047  if (srp_client_arg.srplogin)
1048  {
1049  if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1050  {
1051  BIO_printf(bio_err,"Unable to set SRP username\n");
1052  goto end;
1053  }
1054  SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1055  SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1056  /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1057  }
1058 
1059  if (srp_server_arg.expected_user != NULL)
1060  {
1062  SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1063  SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1064  }
1065 #endif
1066 
1067  c_ssl=SSL_new(c_ctx);
1068  s_ssl=SSL_new(s_ctx);
1069 
1070 #ifndef OPENSSL_NO_KRB5
1071  if (c_ssl && c_ssl->kssl_ctx)
1072  {
1073  char localhost[MAXHOSTNAMELEN+2];
1074 
1075  if (gethostname(localhost, sizeof localhost-1) == 0)
1076  {
1077  localhost[sizeof localhost-1]='\0';
1078  if(strlen(localhost) == sizeof localhost-1)
1079  {
1080  BIO_printf(bio_err,"localhost name too long\n");
1081  goto end;
1082  }
1084  localhost);
1085  }
1086  }
1087 #endif /* OPENSSL_NO_KRB5 */
1088 
1089  for (i=0; i<number; i++)
1090  {
1091  if (!reuse) SSL_set_session(c_ssl,NULL);
1092  if (bio_pair)
1093  ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1094  else
1095  ret=doit(s_ssl,c_ssl,bytes);
1096  }
1097 
1098  if (!verbose)
1099  {
1100  print_details(c_ssl, "");
1101  }
1102  if ((number > 1) || (bytes > 1L))
1103  BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1104  if (print_time)
1105  {
1106 #ifdef CLOCKS_PER_SEC
1107  /* "To determine the time in seconds, the value returned
1108  * by the clock function should be divided by the value
1109  * of the macro CLOCKS_PER_SEC."
1110  * -- ISO/IEC 9899 */
1111  BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1112  "Approximate total client time: %6.2f s\n",
1113  (double)s_time/CLOCKS_PER_SEC,
1114  (double)c_time/CLOCKS_PER_SEC);
1115 #else
1116  /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1117  * -- cc on NeXTstep/OpenStep */
1118  BIO_printf(bio_stdout,
1119  "Approximate total server time: %6.2f units\n"
1120  "Approximate total client time: %6.2f units\n",
1121  (double)s_time,
1122  (double)c_time);
1123 #endif
1124  }
1125 
1126  SSL_free(s_ssl);
1127  SSL_free(c_ssl);
1128 
1129 end:
1130  if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1131  if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1132 
1133  if (bio_stdout != NULL) BIO_free(bio_stdout);
1134 
1135 #ifndef OPENSSL_NO_RSA
1136  free_tmp_rsa();
1137 #endif
1138 #ifndef OPENSSL_NO_ENGINE
1139  ENGINE_cleanup();
1140 #endif
1142  ERR_free_strings();
1144  EVP_cleanup();
1145  CRYPTO_mem_leaks(bio_err);
1146  if (bio_err != NULL) BIO_free(bio_err);
1147  EXIT(ret);
1148  return ret;
1149  }
1150 
1151 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1152  clock_t *s_time, clock_t *c_time)
1153  {
1154  long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1155  BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1156  BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1157  int ret = 1;
1158 
1159  size_t bufsiz = 256; /* small buffer for testing */
1160 
1161  if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1162  goto err;
1163  if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1164  goto err;
1165 
1166  s_ssl_bio = BIO_new(BIO_f_ssl());
1167  if (!s_ssl_bio)
1168  goto err;
1169 
1170  c_ssl_bio = BIO_new(BIO_f_ssl());
1171  if (!c_ssl_bio)
1172  goto err;
1173 
1174  SSL_set_connect_state(c_ssl);
1175  SSL_set_bio(c_ssl, client, client);
1176  (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1177 
1178  SSL_set_accept_state(s_ssl);
1179  SSL_set_bio(s_ssl, server, server);
1180  (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1181 
1182  do
1183  {
1184  /* c_ssl_bio: SSL filter BIO
1185  *
1186  * client: pseudo-I/O for SSL library
1187  *
1188  * client_io: client's SSL communication; usually to be
1189  * relayed over some I/O facility, but in this
1190  * test program, we're the server, too:
1191  *
1192  * server_io: server's SSL communication
1193  *
1194  * server: pseudo-I/O for SSL library
1195  *
1196  * s_ssl_bio: SSL filter BIO
1197  *
1198  * The client and the server each employ a "BIO pair":
1199  * client + client_io, server + server_io.
1200  * BIO pairs are symmetric. A BIO pair behaves similar
1201  * to a non-blocking socketpair (but both endpoints must
1202  * be handled by the same thread).
1203  * [Here we could connect client and server to the ends
1204  * of a single BIO pair, but then this code would be less
1205  * suitable as an example for BIO pairs in general.]
1206  *
1207  * Useful functions for querying the state of BIO pair endpoints:
1208  *
1209  * BIO_ctrl_pending(bio) number of bytes we can read now
1210  * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1211  * other side's read attempt
1212  * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1213  *
1214  * ..._read_request is never more than ..._write_guarantee;
1215  * it depends on the application which one you should use.
1216  */
1217 
1218  /* We have non-blocking behaviour throughout this test program, but
1219  * can be sure that there is *some* progress in each iteration; so
1220  * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1221  * -- we just try everything in each iteration
1222  */
1223 
1224  {
1225  /* CLIENT */
1226 
1227  MS_STATIC char cbuf[1024*8];
1228  int i, r;
1229  clock_t c_clock = clock();
1230 
1231  memset(cbuf, 0, sizeof(cbuf));
1232 
1233  if (debug)
1234  if (SSL_in_init(c_ssl))
1235  printf("client waiting in SSL_connect - %s\n",
1236  SSL_state_string_long(c_ssl));
1237 
1238  if (cw_num > 0)
1239  {
1240  /* Write to server. */
1241 
1242  if (cw_num > (long)sizeof cbuf)
1243  i = sizeof cbuf;
1244  else
1245  i = (int)cw_num;
1246  r = BIO_write(c_ssl_bio, cbuf, i);
1247  if (r < 0)
1248  {
1249  if (!BIO_should_retry(c_ssl_bio))
1250  {
1251  fprintf(stderr,"ERROR in CLIENT\n");
1252  goto err;
1253  }
1254  /* BIO_should_retry(...) can just be ignored here.
1255  * The library expects us to call BIO_write with
1256  * the same arguments again, and that's what we will
1257  * do in the next iteration. */
1258  }
1259  else if (r == 0)
1260  {
1261  fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1262  goto err;
1263  }
1264  else
1265  {
1266  if (debug)
1267  printf("client wrote %d\n", r);
1268  cw_num -= r;
1269  }
1270  }
1271 
1272  if (cr_num > 0)
1273  {
1274  /* Read from server. */
1275 
1276  r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1277  if (r < 0)
1278  {
1279  if (!BIO_should_retry(c_ssl_bio))
1280  {
1281  fprintf(stderr,"ERROR in CLIENT\n");
1282  goto err;
1283  }
1284  /* Again, "BIO_should_retry" can be ignored. */
1285  }
1286  else if (r == 0)
1287  {
1288  fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1289  goto err;
1290  }
1291  else
1292  {
1293  if (debug)
1294  printf("client read %d\n", r);
1295  cr_num -= r;
1296  }
1297  }
1298 
1299  /* c_time and s_time increments will typically be very small
1300  * (depending on machine speed and clock tick intervals),
1301  * but sampling over a large number of connections should
1302  * result in fairly accurate figures. We cannot guarantee
1303  * a lot, however -- if each connection lasts for exactly
1304  * one clock tick, it will be counted only for the client
1305  * or only for the server or even not at all.
1306  */
1307  *c_time += (clock() - c_clock);
1308  }
1309 
1310  {
1311  /* SERVER */
1312 
1313  MS_STATIC char sbuf[1024*8];
1314  int i, r;
1315  clock_t s_clock = clock();
1316 
1317  memset(sbuf, 0, sizeof(sbuf));
1318 
1319  if (debug)
1320  if (SSL_in_init(s_ssl))
1321  printf("server waiting in SSL_accept - %s\n",
1322  SSL_state_string_long(s_ssl));
1323 
1324  if (sw_num > 0)
1325  {
1326  /* Write to client. */
1327 
1328  if (sw_num > (long)sizeof sbuf)
1329  i = sizeof sbuf;
1330  else
1331  i = (int)sw_num;
1332  r = BIO_write(s_ssl_bio, sbuf, i);
1333  if (r < 0)
1334  {
1335  if (!BIO_should_retry(s_ssl_bio))
1336  {
1337  fprintf(stderr,"ERROR in SERVER\n");
1338  goto err;
1339  }
1340  /* Ignore "BIO_should_retry". */
1341  }
1342  else if (r == 0)
1343  {
1344  fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1345  goto err;
1346  }
1347  else
1348  {
1349  if (debug)
1350  printf("server wrote %d\n", r);
1351  sw_num -= r;
1352  }
1353  }
1354 
1355  if (sr_num > 0)
1356  {
1357  /* Read from client. */
1358 
1359  r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1360  if (r < 0)
1361  {
1362  if (!BIO_should_retry(s_ssl_bio))
1363  {
1364  fprintf(stderr,"ERROR in SERVER\n");
1365  goto err;
1366  }
1367  /* blah, blah */
1368  }
1369  else if (r == 0)
1370  {
1371  fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1372  goto err;
1373  }
1374  else
1375  {
1376  if (debug)
1377  printf("server read %d\n", r);
1378  sr_num -= r;
1379  }
1380  }
1381 
1382  *s_time += (clock() - s_clock);
1383  }
1384 
1385  {
1386  /* "I/O" BETWEEN CLIENT AND SERVER. */
1387 
1388  size_t r1, r2;
1389  BIO *io1 = server_io, *io2 = client_io;
1390  /* we use the non-copying interface for io1
1391  * and the standard BIO_write/BIO_read interface for io2
1392  */
1393 
1394  static int prev_progress = 1;
1395  int progress = 0;
1396 
1397  /* io1 to io2 */
1398  do
1399  {
1400  size_t num;
1401  int r;
1402 
1403  r1 = BIO_ctrl_pending(io1);
1404  r2 = BIO_ctrl_get_write_guarantee(io2);
1405 
1406  num = r1;
1407  if (r2 < num)
1408  num = r2;
1409  if (num)
1410  {
1411  char *dataptr;
1412 
1413  if (INT_MAX < num) /* yeah, right */
1414  num = INT_MAX;
1415 
1416  r = BIO_nread(io1, &dataptr, (int)num);
1417  assert(r > 0);
1418  assert(r <= (int)num);
1419  /* possibly r < num (non-contiguous data) */
1420  num = r;
1421  r = BIO_write(io2, dataptr, (int)num);
1422  if (r != (int)num) /* can't happen */
1423  {
1424  fprintf(stderr, "ERROR: BIO_write could not write "
1425  "BIO_ctrl_get_write_guarantee() bytes");
1426  goto err;
1427  }
1428  progress = 1;
1429 
1430  if (debug)
1431  printf((io1 == client_io) ?
1432  "C->S relaying: %d bytes\n" :
1433  "S->C relaying: %d bytes\n",
1434  (int)num);
1435  }
1436  }
1437  while (r1 && r2);
1438 
1439  /* io2 to io1 */
1440  {
1441  size_t num;
1442  int r;
1443 
1444  r1 = BIO_ctrl_pending(io2);
1445  r2 = BIO_ctrl_get_read_request(io1);
1446  /* here we could use ..._get_write_guarantee instead of
1447  * ..._get_read_request, but by using the latter
1448  * we test restartability of the SSL implementation
1449  * more thoroughly */
1450  num = r1;
1451  if (r2 < num)
1452  num = r2;
1453  if (num)
1454  {
1455  char *dataptr;
1456 
1457  if (INT_MAX < num)
1458  num = INT_MAX;
1459 
1460  if (num > 1)
1461  --num; /* test restartability even more thoroughly */
1462 
1463  r = BIO_nwrite0(io1, &dataptr);
1464  assert(r > 0);
1465  if (r < (int)num)
1466  num = r;
1467  r = BIO_read(io2, dataptr, (int)num);
1468  if (r != (int)num) /* can't happen */
1469  {
1470  fprintf(stderr, "ERROR: BIO_read could not read "
1471  "BIO_ctrl_pending() bytes");
1472  goto err;
1473  }
1474  progress = 1;
1475  r = BIO_nwrite(io1, &dataptr, (int)num);
1476  if (r != (int)num) /* can't happen */
1477  {
1478  fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1479  "BIO_nwrite0() bytes");
1480  goto err;
1481  }
1482 
1483  if (debug)
1484  printf((io2 == client_io) ?
1485  "C->S relaying: %d bytes\n" :
1486  "S->C relaying: %d bytes\n",
1487  (int)num);
1488  }
1489  } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1490 
1491  if (!progress && !prev_progress)
1492  if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1493  {
1494  fprintf(stderr, "ERROR: got stuck\n");
1495  if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1496  {
1497  fprintf(stderr, "This can happen for SSL2 because "
1498  "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1499  "concurrently ...");
1500  if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1501  && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1502  {
1503  fprintf(stderr, " ok.\n");
1504  goto end;
1505  }
1506  }
1507  fprintf(stderr, " ERROR.\n");
1508  goto err;
1509  }
1510  prev_progress = progress;
1511  }
1512  }
1513  while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1514 
1515  if (verbose)
1516  print_details(c_ssl, "DONE via BIO pair: ");
1517 end:
1518  ret = 0;
1519 
1520  err:
1521  ERR_print_errors(bio_err);
1522 
1523  if (server)
1524  BIO_free(server);
1525  if (server_io)
1526  BIO_free(server_io);
1527  if (client)
1528  BIO_free(client);
1529  if (client_io)
1530  BIO_free(client_io);
1531  if (s_ssl_bio)
1532  BIO_free(s_ssl_bio);
1533  if (c_ssl_bio)
1534  BIO_free(c_ssl_bio);
1536  return ret;
1537  }
1539 
1540 #define W_READ 1
1541 #define W_WRITE 2
1542 #define C_DONE 1
1543 #define S_DONE 2
1544 
1545 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1546  {
1547  MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1548  long cw_num=count,cr_num=count;
1549  long sw_num=count,sr_num=count;
1550  int ret=1;
1551  BIO *c_to_s=NULL;
1552  BIO *s_to_c=NULL;
1553  BIO *c_bio=NULL;
1554  BIO *s_bio=NULL;
1555  int c_r,c_w,s_r,s_w;
1556  int i,j;
1557  int done=0;
1558  int c_write,s_write;
1559  int do_server=0,do_client=0;
1560 
1561  memset(cbuf,0,sizeof(cbuf));
1562  memset(sbuf,0,sizeof(sbuf));
1563 
1564  c_to_s=BIO_new(BIO_s_mem());
1565  s_to_c=BIO_new(BIO_s_mem());
1566  if ((s_to_c == NULL) || (c_to_s == NULL))
1567  {
1568  ERR_print_errors(bio_err);
1569  goto err;
1570  }
1571 
1572  c_bio=BIO_new(BIO_f_ssl());
1573  s_bio=BIO_new(BIO_f_ssl());
1574  if ((c_bio == NULL) || (s_bio == NULL))
1575  {
1576  ERR_print_errors(bio_err);
1577  goto err;
1578  }
1579 
1580  SSL_set_connect_state(c_ssl);
1581  SSL_set_bio(c_ssl,s_to_c,c_to_s);
1582  BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1583 
1584  SSL_set_accept_state(s_ssl);
1585  SSL_set_bio(s_ssl,c_to_s,s_to_c);
1586  BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1587 
1588  c_r=0; s_r=1;
1589  c_w=1; s_w=0;
1590  c_write=1,s_write=0;
1591 
1592  /* We can always do writes */
1593  for (;;)
1594  {
1595  do_server=0;
1596  do_client=0;
1597 
1598  i=(int)BIO_pending(s_bio);
1599  if ((i && s_r) || s_w) do_server=1;
1600 
1601  i=(int)BIO_pending(c_bio);
1602  if ((i && c_r) || c_w) do_client=1;
1603 
1604  if (do_server && debug)
1605  {
1606  if (SSL_in_init(s_ssl))
1607  printf("server waiting in SSL_accept - %s\n",
1608  SSL_state_string_long(s_ssl));
1609 /* else if (s_write)
1610  printf("server:SSL_write()\n");
1611  else
1612  printf("server:SSL_read()\n"); */
1613  }
1614 
1615  if (do_client && debug)
1616  {
1617  if (SSL_in_init(c_ssl))
1618  printf("client waiting in SSL_connect - %s\n",
1619  SSL_state_string_long(c_ssl));
1620 /* else if (c_write)
1621  printf("client:SSL_write()\n");
1622  else
1623  printf("client:SSL_read()\n"); */
1624  }
1625 
1626  if (!do_client && !do_server)
1627  {
1628  fprintf(stdout,"ERROR IN STARTUP\n");
1629  ERR_print_errors(bio_err);
1630  break;
1631  }
1632  if (do_client && !(done & C_DONE))
1633  {
1634  if (c_write)
1635  {
1636  j = (cw_num > (long)sizeof(cbuf)) ?
1637  (int)sizeof(cbuf) : (int)cw_num;
1638  i=BIO_write(c_bio,cbuf,j);
1639  if (i < 0)
1640  {
1641  c_r=0;
1642  c_w=0;
1643  if (BIO_should_retry(c_bio))
1644  {
1645  if (BIO_should_read(c_bio))
1646  c_r=1;
1647  if (BIO_should_write(c_bio))
1648  c_w=1;
1649  }
1650  else
1651  {
1652  fprintf(stderr,"ERROR in CLIENT\n");
1653  ERR_print_errors(bio_err);
1654  goto err;
1655  }
1656  }
1657  else if (i == 0)
1658  {
1659  fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1660  goto err;
1661  }
1662  else
1663  {
1664  if (debug)
1665  printf("client wrote %d\n",i);
1666  /* ok */
1667  s_r=1;
1668  c_write=0;
1669  cw_num-=i;
1670  }
1671  }
1672  else
1673  {
1674  i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1675  if (i < 0)
1676  {
1677  c_r=0;
1678  c_w=0;
1679  if (BIO_should_retry(c_bio))
1680  {
1681  if (BIO_should_read(c_bio))
1682  c_r=1;
1683  if (BIO_should_write(c_bio))
1684  c_w=1;
1685  }
1686  else
1687  {
1688  fprintf(stderr,"ERROR in CLIENT\n");
1689  ERR_print_errors(bio_err);
1690  goto err;
1691  }
1692  }
1693  else if (i == 0)
1694  {
1695  fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1696  goto err;
1697  }
1698  else
1699  {
1700  if (debug)
1701  printf("client read %d\n",i);
1702  cr_num-=i;
1703  if (sw_num > 0)
1704  {
1705  s_write=1;
1706  s_w=1;
1707  }
1708  if (cr_num <= 0)
1709  {
1710  s_write=1;
1711  s_w=1;
1712  done=S_DONE|C_DONE;
1713  }
1714  }
1715  }
1716  }
1717 
1718  if (do_server && !(done & S_DONE))
1719  {
1720  if (!s_write)
1721  {
1722  i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1723  if (i < 0)
1724  {
1725  s_r=0;
1726  s_w=0;
1727  if (BIO_should_retry(s_bio))
1728  {
1729  if (BIO_should_read(s_bio))
1730  s_r=1;
1731  if (BIO_should_write(s_bio))
1732  s_w=1;
1733  }
1734  else
1735  {
1736  fprintf(stderr,"ERROR in SERVER\n");
1737  ERR_print_errors(bio_err);
1738  goto err;
1739  }
1740  }
1741  else if (i == 0)
1742  {
1743  ERR_print_errors(bio_err);
1744  fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1745  goto err;
1746  }
1747  else
1748  {
1749  if (debug)
1750  printf("server read %d\n",i);
1751  sr_num-=i;
1752  if (cw_num > 0)
1753  {
1754  c_write=1;
1755  c_w=1;
1756  }
1757  if (sr_num <= 0)
1758  {
1759  s_write=1;
1760  s_w=1;
1761  c_write=0;
1762  }
1763  }
1764  }
1765  else
1766  {
1767  j = (sw_num > (long)sizeof(sbuf)) ?
1768  (int)sizeof(sbuf) : (int)sw_num;
1769  i=BIO_write(s_bio,sbuf,j);
1770  if (i < 0)
1771  {
1772  s_r=0;
1773  s_w=0;
1774  if (BIO_should_retry(s_bio))
1775  {
1776  if (BIO_should_read(s_bio))
1777  s_r=1;
1778  if (BIO_should_write(s_bio))
1779  s_w=1;
1780  }
1781  else
1782  {
1783  fprintf(stderr,"ERROR in SERVER\n");
1784  ERR_print_errors(bio_err);
1785  goto err;
1786  }
1787  }
1788  else if (i == 0)
1789  {
1790  ERR_print_errors(bio_err);
1791  fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1792  goto err;
1793  }
1794  else
1795  {
1796  if (debug)
1797  printf("server wrote %d\n",i);
1798  sw_num-=i;
1799  s_write=0;
1800  c_r=1;
1801  if (sw_num <= 0)
1802  done|=S_DONE;
1803  }
1804  }
1805  }
1806 
1807  if ((done & S_DONE) && (done & C_DONE)) break;
1808  }
1809 
1810  if (verbose)
1811  print_details(c_ssl, "DONE: ");
1812  ret=0;
1813 err:
1814  /* We have to set the BIO's to NULL otherwise they will be
1815  * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1816  * again when c_ssl is SSL_free()ed.
1817  * This is a hack required because s_ssl and c_ssl are sharing the same
1818  * BIO structure and SSL_set_bio() and SSL_free() automatically
1819  * BIO_free non NULL entries.
1820  * You should not normally do this or be required to do this */
1821  if (s_ssl != NULL)
1822  {
1823  s_ssl->rbio=NULL;
1824  s_ssl->wbio=NULL;
1825  }
1826  if (c_ssl != NULL)
1827  {
1828  c_ssl->rbio=NULL;
1829  c_ssl->wbio=NULL;
1830  }
1831 
1832  if (c_to_s != NULL) BIO_free(c_to_s);
1833  if (s_to_c != NULL) BIO_free(s_to_c);
1834  if (c_bio != NULL) BIO_free_all(c_bio);
1835  if (s_bio != NULL) BIO_free_all(s_bio);
1836  return(ret);
1837  }
1838 
1839 static int get_proxy_auth_ex_data_idx(void)
1840  {
1841  static volatile int idx = -1;
1842  if (idx < 0)
1843  {
1845  if (idx < 0)
1846  {
1848  "SSLtest for verify callback", NULL,NULL,NULL);
1849  }
1851  }
1852  return idx;
1853  }
1854 
1855 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1856  {
1857  char *s,buf[256];
1858 
1860  sizeof buf);
1861  if (s != NULL)
1862  {
1863  if (ok)
1864  fprintf(stderr,"depth=%d %s\n",
1865  ctx->error_depth,buf);
1866  else
1867  {
1868  fprintf(stderr,"depth=%d error=%d %s\n",
1869  ctx->error_depth,ctx->error,buf);
1870  }
1871  }
1872 
1873  if (ok == 0)
1874  {
1875  fprintf(stderr,"Error string: %s\n",
1877  switch (ctx->error)
1878  {
1882  fprintf(stderr," ... ignored.\n");
1883  ok=1;
1884  }
1885  }
1886 
1887  if (ok == 1)
1888  {
1889  X509 *xs = ctx->current_cert;
1890 #if 0
1891  X509 *xi = ctx->current_issuer;
1892 #endif
1893 
1894  if (xs->ex_flags & EXFLAG_PROXY)
1895  {
1896  unsigned int *letters =
1898  get_proxy_auth_ex_data_idx());
1899 
1900  if (letters)
1901  {
1902  int found_any = 0;
1903  int i;
1906  NULL, NULL);
1907 
1908  switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1909  {
1910  case NID_Independent:
1911  /* Completely meaningless in this
1912  program, as there's no way to
1913  grant explicit rights to a
1914  specific PrC. Basically, using
1915  id-ppl-Independent is the perfect
1916  way to grant no rights at all. */
1917  fprintf(stderr, " Independent proxy certificate");
1918  for (i = 0; i < 26; i++)
1919  letters[i] = 0;
1920  break;
1921  case NID_id_ppl_inheritAll:
1922  /* This is basically a NOP, we
1923  simply let the current rights
1924  stand as they are. */
1925  fprintf(stderr, " Proxy certificate inherits all");
1926  break;
1927  default:
1928  s = (char *)
1929  pci->proxyPolicy->policy->data;
1930  i = pci->proxyPolicy->policy->length;
1931 
1932  /* The algorithm works as follows:
1933  it is assumed that previous
1934  iterations or the initial granted
1935  rights has already set some elements
1936  of `letters'. What we need to do is
1937  to clear those that weren't granted
1938  by the current PrC as well. The
1939  easiest way to do this is to add 1
1940  to all the elements whose letters
1941  are given with the current policy.
1942  That way, all elements that are set
1943  by the current policy and were
1944  already set by earlier policies and
1945  through the original grant of rights
1946  will get the value 2 or higher.
1947  The last thing to do is to sweep
1948  through `letters' and keep the
1949  elements having the value 2 as set,
1950  and clear all the others. */
1951 
1952  fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1953  while(i-- > 0)
1954  {
1955  int c = *s++;
1956  if (isascii(c) && isalpha(c))
1957  {
1958  if (islower(c))
1959  c = toupper(c);
1960  letters[c - 'A']++;
1961  }
1962  }
1963  for (i = 0; i < 26; i++)
1964  if (letters[i] < 2)
1965  letters[i] = 0;
1966  else
1967  letters[i] = 1;
1968  }
1969 
1970  found_any = 0;
1971  fprintf(stderr,
1972  ", resulting proxy rights = ");
1973  for(i = 0; i < 26; i++)
1974  if (letters[i])
1975  {
1976  fprintf(stderr, "%c", i + 'A');
1977  found_any = 1;
1978  }
1979  if (!found_any)
1980  fprintf(stderr, "none");
1981  fprintf(stderr, "\n");
1982 
1983  PROXY_CERT_INFO_EXTENSION_free(pci);
1984  }
1985  }
1986  }
1987 
1988  return(ok);
1989  }
1990 
1991 static void process_proxy_debug(int indent, const char *format, ...)
1992  {
1993  static const char indentation[] =
1994  ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1995  ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1996  char my_format[256];
1997  va_list args;
1998 
1999  BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2000  indent, indent, indentation, format);
2001 
2002  va_start(args, format);
2003  vfprintf(stderr, my_format, args);
2004  va_end(args);
2005  }
2006 /* Priority levels:
2007  0 [!]var, ()
2008  1 & ^
2009  2 |
2010 */
2011 static int process_proxy_cond_adders(unsigned int letters[26],
2012  const char *cond, const char **cond_end, int *pos, int indent);
2013 static int process_proxy_cond_val(unsigned int letters[26],
2014  const char *cond, const char **cond_end, int *pos, int indent)
2015  {
2016  int c;
2017  int ok = 1;
2018  int negate = 0;
2019 
2020  while(isspace((int)*cond))
2021  {
2022  cond++; (*pos)++;
2023  }
2024  c = *cond;
2025 
2026  if (debug)
2027  process_proxy_debug(indent,
2028  "Start process_proxy_cond_val at position %d: %s\n",
2029  *pos, cond);
2030 
2031  while(c == '!')
2032  {
2033  negate = !negate;
2034  cond++; (*pos)++;
2035  while(isspace((int)*cond))
2036  {
2037  cond++; (*pos)++;
2038  }
2039  c = *cond;
2040  }
2041 
2042  if (c == '(')
2043  {
2044  cond++; (*pos)++;
2045  ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2046  indent + 1);
2047  cond = *cond_end;
2048  if (ok < 0)
2049  goto end;
2050  while(isspace((int)*cond))
2051  {
2052  cond++; (*pos)++;
2053  }
2054  c = *cond;
2055  if (c != ')')
2056  {
2057  fprintf(stderr,
2058  "Weird condition character in position %d: "
2059  "%c\n", *pos, c);
2060  ok = -1;
2061  goto end;
2062  }
2063  cond++; (*pos)++;
2064  }
2065  else if (isascii(c) && isalpha(c))
2066  {
2067  if (islower(c))
2068  c = toupper(c);
2069  ok = letters[c - 'A'];
2070  cond++; (*pos)++;
2071  }
2072  else
2073  {
2074  fprintf(stderr,
2075  "Weird condition character in position %d: "
2076  "%c\n", *pos, c);
2077  ok = -1;
2078  goto end;
2079  }
2080  end:
2081  *cond_end = cond;
2082  if (ok >= 0 && negate)
2083  ok = !ok;
2084 
2085  if (debug)
2086  process_proxy_debug(indent,
2087  "End process_proxy_cond_val at position %d: %s, returning %d\n",
2088  *pos, cond, ok);
2089 
2090  return ok;
2091  }
2092 static int process_proxy_cond_multipliers(unsigned int letters[26],
2093  const char *cond, const char **cond_end, int *pos, int indent)
2094  {
2095  int ok;
2096  char c;
2097 
2098  if (debug)
2099  process_proxy_debug(indent,
2100  "Start process_proxy_cond_multipliers at position %d: %s\n",
2101  *pos, cond);
2102 
2103  ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2104  cond = *cond_end;
2105  if (ok < 0)
2106  goto end;
2107 
2108  while(ok >= 0)
2109  {
2110  while(isspace((int)*cond))
2111  {
2112  cond++; (*pos)++;
2113  }
2114  c = *cond;
2115 
2116  switch(c)
2117  {
2118  case '&':
2119  case '^':
2120  {
2121  int save_ok = ok;
2122 
2123  cond++; (*pos)++;
2124  ok = process_proxy_cond_val(letters,
2125  cond, cond_end, pos, indent + 1);
2126  cond = *cond_end;
2127  if (ok < 0)
2128  break;
2129 
2130  switch(c)
2131  {
2132  case '&':
2133  ok &= save_ok;
2134  break;
2135  case '^':
2136  ok ^= save_ok;
2137  break;
2138  default:
2139  fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2140  " STOPPING\n");
2141  EXIT(1);
2142  }
2143  }
2144  break;
2145  default:
2146  goto end;
2147  }
2148  }
2149  end:
2150  if (debug)
2151  process_proxy_debug(indent,
2152  "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2153  *pos, cond, ok);
2154 
2155  *cond_end = cond;
2156  return ok;
2157  }
2158 static int process_proxy_cond_adders(unsigned int letters[26],
2159  const char *cond, const char **cond_end, int *pos, int indent)
2160  {
2161  int ok;
2162  char c;
2163 
2164  if (debug)
2165  process_proxy_debug(indent,
2166  "Start process_proxy_cond_adders at position %d: %s\n",
2167  *pos, cond);
2168 
2169  ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2170  indent + 1);
2171  cond = *cond_end;
2172  if (ok < 0)
2173  goto end;
2174 
2175  while(ok >= 0)
2176  {
2177  while(isspace((int)*cond))
2178  {
2179  cond++; (*pos)++;
2180  }
2181  c = *cond;
2182 
2183  switch(c)
2184  {
2185  case '|':
2186  {
2187  int save_ok = ok;
2188 
2189  cond++; (*pos)++;
2190  ok = process_proxy_cond_multipliers(letters,
2191  cond, cond_end, pos, indent + 1);
2192  cond = *cond_end;
2193  if (ok < 0)
2194  break;
2195 
2196  switch(c)
2197  {
2198  case '|':
2199  ok |= save_ok;
2200  break;
2201  default:
2202  fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2203  " STOPPING\n");
2204  EXIT(1);
2205  }
2206  }
2207  break;
2208  default:
2209  goto end;
2210  }
2211  }
2212  end:
2213  if (debug)
2214  process_proxy_debug(indent,
2215  "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2216  *pos, cond, ok);
2217 
2218  *cond_end = cond;
2219  return ok;
2220  }
2221 
2222 static int process_proxy_cond(unsigned int letters[26],
2223  const char *cond, const char **cond_end)
2224  {
2225  int pos = 1;
2226  return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2227  }
2228 
2229 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2230  {
2231  int ok=1;
2232  struct app_verify_arg *cb_arg = arg;
2233  unsigned int letters[26]; /* only used with proxy_auth */
2234 
2235  if (cb_arg->app_verify)
2236  {
2237  char *s = NULL,buf[256];
2238 
2239  fprintf(stderr, "In app_verify_callback, allowing cert. ");
2240  fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2241  fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2242  (void *)ctx, (void *)ctx->cert);
2243  if (ctx->cert)
2244  s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2245  if (s != NULL)
2246  {
2247  fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2248  }
2249  return(1);
2250  }
2251  if (cb_arg->proxy_auth)
2252  {
2253  int found_any = 0, i;
2254  char *sp;
2255 
2256  for(i = 0; i < 26; i++)
2257  letters[i] = 0;
2258  for(sp = cb_arg->proxy_auth; *sp; sp++)
2259  {
2260  int c = *sp;
2261  if (isascii(c) && isalpha(c))
2262  {
2263  if (islower(c))
2264  c = toupper(c);
2265  letters[c - 'A'] = 1;
2266  }
2267  }
2268 
2269  fprintf(stderr,
2270  " Initial proxy rights = ");
2271  for(i = 0; i < 26; i++)
2272  if (letters[i])
2273  {
2274  fprintf(stderr, "%c", i + 'A');
2275  found_any = 1;
2276  }
2277  if (!found_any)
2278  fprintf(stderr, "none");
2279  fprintf(stderr, "\n");
2280 
2282  get_proxy_auth_ex_data_idx(),letters);
2283  }
2284  if (cb_arg->allow_proxy_certs)
2285  {
2287  }
2288 
2289 #ifndef OPENSSL_NO_X509_VERIFY
2290  ok = X509_verify_cert(ctx);
2291 #endif
2292 
2293  if (cb_arg->proxy_auth)
2294  {
2295  if (ok > 0)
2296  {
2297  const char *cond_end = NULL;
2298 
2299  ok = process_proxy_cond(letters,
2300  cb_arg->proxy_cond, &cond_end);
2301 
2302  if (ok < 0)
2303  EXIT(3);
2304  if (*cond_end)
2305  {
2306  fprintf(stderr, "Stopped processing condition before it's end.\n");
2307  ok = 0;
2308  }
2309  if (!ok)
2310  fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2311  cb_arg->proxy_cond);
2312  else
2313  fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2314  cb_arg->proxy_cond);
2315  }
2316  }
2317  return(ok);
2318  }
2319 
2320 #ifndef OPENSSL_NO_RSA
2321 static RSA *rsa_tmp=NULL;
2322 
2323 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2324  {
2325  BIGNUM *bn = NULL;
2326  if (rsa_tmp == NULL)
2327  {
2328  bn = BN_new();
2329  rsa_tmp = RSA_new();
2330  if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2331  {
2332  BIO_printf(bio_err, "Memory error...");
2333  goto end;
2334  }
2335  BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2336  (void)BIO_flush(bio_err);
2337  if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2338  {
2339  BIO_printf(bio_err, "Error generating key.");
2340  RSA_free(rsa_tmp);
2341  rsa_tmp = NULL;
2342  }
2343 end:
2344  BIO_printf(bio_err,"\n");
2345  (void)BIO_flush(bio_err);
2346  }
2347  if(bn) BN_free(bn);
2348  return(rsa_tmp);
2349  }
2350 
2351 static void free_tmp_rsa(void)
2352  {
2353  if (rsa_tmp != NULL)
2354  {
2355  RSA_free(rsa_tmp);
2356  rsa_tmp = NULL;
2357  }
2358  }
2359 #endif
2360 
2361 #ifndef OPENSSL_NO_DH
2362 /* These DH parameters have been generated as follows:
2363  * $ openssl dhparam -C -noout 512
2364  * $ openssl dhparam -C -noout 1024
2365  * $ openssl dhparam -C -noout -dsaparam 1024
2366  * (The third function has been renamed to avoid name conflicts.)
2367  */
2368 static DH *get_dh512()
2369  {
2370  static unsigned char dh512_p[]={
2371  0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2372  0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2373  0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2374  0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2375  0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2376  0x02,0xC5,0xAE,0x23,
2377  };
2378  static unsigned char dh512_g[]={
2379  0x02,
2380  };
2381  DH *dh;
2382 
2383  if ((dh=DH_new()) == NULL) return(NULL);
2384  dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2385  dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2386  if ((dh->p == NULL) || (dh->g == NULL))
2387  { DH_free(dh); return(NULL); }
2388  return(dh);
2389  }
2390 
2391 static DH *get_dh1024()
2392  {
2393  static unsigned char dh1024_p[]={
2394  0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2395  0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2396  0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2397  0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2398  0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2399  0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2400  0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2401  0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2402  0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2403  0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2404  0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2405  };
2406  static unsigned char dh1024_g[]={
2407  0x02,
2408  };
2409  DH *dh;
2410 
2411  if ((dh=DH_new()) == NULL) return(NULL);
2412  dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2413  dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2414  if ((dh->p == NULL) || (dh->g == NULL))
2415  { DH_free(dh); return(NULL); }
2416  return(dh);
2417  }
2418 
2419 static DH *get_dh1024dsa()
2420  {
2421  static unsigned char dh1024_p[]={
2422  0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2423  0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2424  0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2425  0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2426  0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2427  0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2428  0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2429  0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2430  0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2431  0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2432  0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2433  };
2434  static unsigned char dh1024_g[]={
2435  0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2436  0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2437  0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2438  0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2439  0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2440  0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2441  0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2442  0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2443  0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2444  0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2445  0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2446  };
2447  DH *dh;
2448 
2449  if ((dh=DH_new()) == NULL) return(NULL);
2450  dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2451  dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2452  if ((dh->p == NULL) || (dh->g == NULL))
2453  { DH_free(dh); return(NULL); }
2454  dh->length = 160;
2455  return(dh);
2456  }
2457 #endif
2458 
2459 #ifndef OPENSSL_NO_PSK
2460 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2461 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2462  unsigned int max_psk_len)
2463  {
2464  int ret;
2465  BIGNUM *bn = NULL;
2466 
2467  ret = BN_hex2bn(&bn, pskkey);
2468  if (!ret)
2469  {
2470  BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2471  if (bn)
2472  BN_free(bn);
2473  return 0;
2474  }
2475  if (BN_num_bytes(bn) > (int)max_psk_len)
2476  {
2477  BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2478  max_psk_len, BN_num_bytes(bn));
2479  BN_free(bn);
2480  return 0;
2481  }
2482  ret = BN_bn2bin(bn, psk);
2483  BN_free(bn);
2484  return ret;
2485  }
2486 
2487 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2488  unsigned int max_identity_len, unsigned char *psk,
2489  unsigned int max_psk_len)
2490  {
2491  int ret;
2492  unsigned int psk_len = 0;
2493 
2494  ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2495  if (ret < 0)
2496  goto out_err;
2497  if (debug)
2498  fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2499  ret = psk_key2bn(psk_key, psk, max_psk_len);
2500  if (ret < 0)
2501  goto out_err;
2502  psk_len = ret;
2503 out_err:
2504  return psk_len;
2505  }
2506 
2507 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2508  unsigned char *psk, unsigned int max_psk_len)
2509  {
2510  unsigned int psk_len=0;
2511 
2512  if (strcmp(identity, "Client_identity") != 0)
2513  {
2514  BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2515  return 0;
2516  }
2517  psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2518  return psk_len;
2519  }
2520 #endif
2521 
2522 static int do_test_cipherlist(void)
2523  {
2524  int i = 0;
2525  const SSL_METHOD *meth;
2526  const SSL_CIPHER *ci, *tci = NULL;
2527 
2528 #ifndef OPENSSL_NO_SSL2
2529  fprintf(stderr, "testing SSLv2 cipher list order: ");
2530  meth = SSLv2_method();
2531  while ((ci = meth->get_cipher(i++)) != NULL)
2532  {
2533  if (tci != NULL)
2534  if (ci->id >= tci->id)
2535  {
2536  fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2537  return 0;
2538  }
2539  tci = ci;
2540  }
2541  fprintf(stderr, "ok\n");
2542 #endif
2543 #ifndef OPENSSL_NO_SSL3
2544  fprintf(stderr, "testing SSLv3 cipher list order: ");
2545  meth = SSLv3_method();
2546  tci = NULL;
2547  while ((ci = meth->get_cipher(i++)) != NULL)
2548  {
2549  if (tci != NULL)
2550  if (ci->id >= tci->id)
2551  {
2552  fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2553  return 0;
2554  }
2555  tci = ci;
2556  }
2557  fprintf(stderr, "ok\n");
2558 #endif
2559 #ifndef OPENSSL_NO_TLS1
2560  fprintf(stderr, "testing TLSv1 cipher list order: ");
2561  meth = TLSv1_method();
2562  tci = NULL;
2563  while ((ci = meth->get_cipher(i++)) != NULL)
2564  {
2565  if (tci != NULL)
2566  if (ci->id >= tci->id)
2567  {
2568  fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2569  return 0;
2570  }
2571  tci = ci;
2572  }
2573  fprintf(stderr, "ok\n");
2574 #endif
2575 
2576  return 1;
2577  }