2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
131 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #ifndef OPENSSL_NO_RSA
147 #include <openssl/rsa.h>
149 #ifndef OPENSSL_NO_DSA
150 #include <openssl/dsa.h>
152 #ifndef OPENSSL_NO_DH
153 #include <openssl/dh.h>
155 #include <openssl/bn.h>
157 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
158 on Compaq platforms (at least with DEC C).
159 Do not try to put it earlier, or IPv6 includes
163 #ifdef OPENSSL_SYS_WINDOWS
166 #include OPENSSL_UNISTD
169 #ifdef OPENSSL_SYS_VMS
170 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
171 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
172 #elif defined(OPENSSL_SYS_WINCE)
173 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
174 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
175 #elif defined(OPENSSL_SYS_NETWARE)
176 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
177 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
179 # define TEST_SERVER_CERT "../apps/server.pem"
180 # define TEST_CLIENT_CERT "../apps/client.pem"
183 /* There is really no standard for this, so let's assign some tentative
184 numbers. In any case, these numbers are only for this test */
188 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
189 #ifndef OPENSSL_NO_RSA
190 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
191 static void free_tmp_rsa(void);
193 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
194 #define APP_CALLBACK_STRING "Test Callback Argument"
195 struct app_verify_arg
199 int allow_proxy_certs;
204 #ifndef OPENSSL_NO_DH
205 static DH *get_dh512(void);
206 static DH *get_dh1024(void);
207 static DH *get_dh1024dsa(void);
210 static BIO *bio_err=NULL;
211 static BIO *bio_stdout=NULL;
213 static char *cipher=NULL;
214 static int verbose=0;
223 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
225 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
226 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
227 static int do_test_cipherlist(void);
228 static void sv_usage(void)
230 fprintf(stderr,"usage: ssltest [args ...]\n");
231 fprintf(stderr,"\n");
232 fprintf(stderr," -server_auth - check server certificate\n");
233 fprintf(stderr," -client_auth - do client authentication\n");
234 fprintf(stderr," -proxy - allow proxy certificates\n");
235 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
236 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
237 fprintf(stderr," -v - more output\n");
238 fprintf(stderr," -d - debug output\n");
239 fprintf(stderr," -reuse - use session-id reuse\n");
240 fprintf(stderr," -num <val> - number of connections to perform\n");
241 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
242 #ifndef OPENSSL_NO_DH
243 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
244 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
245 fprintf(stderr," -no_dhe - disable DHE\n");
247 #ifndef OPENSSL_NO_ECDH
248 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
250 #ifndef OPENSSL_NO_SSL2
251 fprintf(stderr," -ssl2 - use SSLv2\n");
253 #ifndef OPENSSL_NO_SSL3
254 fprintf(stderr," -ssl3 - use SSLv3\n");
256 #ifndef OPENSSL_NO_TLS1
257 fprintf(stderr," -tls1 - use TLSv1\n");
259 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
260 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
261 fprintf(stderr," -cert arg - Server certificate file\n");
262 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
263 fprintf(stderr," -c_cert arg - Client certificate file\n");
264 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
265 fprintf(stderr," -cipher arg - The cipher list\n");
266 fprintf(stderr," -bio_pair - Use BIO pairs\n");
267 fprintf(stderr," -f - Test even cases that can't work\n");
268 fprintf(stderr," -time - measure processor time used by client and server\n");
269 fprintf(stderr," -zlib - use zlib compression\n");
270 fprintf(stderr," -rle - use rle compression\n");
271 #ifndef OPENSSL_NO_ECDH
272 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
273 " Use \"openssl ecparam -list_curves\" for all names\n" \
274 " (default is sect163r2).\n");
276 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
279 static void print_details(SSL *c_ssl, const char *prefix)
284 ciph=SSL_get_current_cipher(c_ssl);
285 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
287 SSL_get_version(c_ssl),
288 SSL_CIPHER_get_version(ciph),
289 SSL_CIPHER_get_name(ciph));
290 cert=SSL_get_peer_certificate(c_ssl);
293 EVP_PKEY *pkey = X509_get_pubkey(cert);
298 #ifndef OPENSSL_NO_RSA
299 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
300 && pkey->pkey.rsa->n != NULL)
302 BIO_printf(bio_stdout, ", %d bit RSA",
303 BN_num_bits(pkey->pkey.rsa->n));
306 #ifndef OPENSSL_NO_DSA
307 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
308 && pkey->pkey.dsa->p != NULL)
310 BIO_printf(bio_stdout, ", %d bit DSA",
311 BN_num_bits(pkey->pkey.dsa->p));
318 /* The SSL API does not allow us to look at temporary RSA/DH keys,
319 * otherwise we should print their lengths too */
320 BIO_printf(bio_stdout,"\n");
323 static void lock_dbg_cb(int mode, int type, const char *file, int line)
325 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
326 const char *errstr = NULL;
329 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
330 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
332 errstr = "invalid mode";
336 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
338 errstr = "type out of bounds";
342 if (mode & CRYPTO_LOCK)
346 errstr = "already locked";
347 /* must not happen in a single-threaded program
348 * (would deadlock) */
354 else if (mode & CRYPTO_UNLOCK)
358 errstr = "not locked";
362 if (modes[type] != rw)
364 errstr = (rw == CRYPTO_READ) ?
365 "CRYPTO_r_unlock on write lock" :
366 "CRYPTO_w_unlock on read lock";
373 errstr = "invalid mode";
380 /* we cannot use bio_err here */
381 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
382 errstr, mode, type, file, line);
387 int main(int argc, char *argv[])
389 char *CApath=NULL,*CAfile=NULL;
393 int tls1=0,ssl2=0,ssl3=0,ret=1;
396 struct app_verify_arg app_verify_arg =
397 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
398 char *server_cert=TEST_SERVER_CERT;
399 char *server_key=NULL;
400 char *client_cert=TEST_CLIENT_CERT;
401 char *client_key=NULL;
402 #ifndef OPENSSL_NO_ECDH
403 char *named_curve = NULL;
407 const SSL_METHOD *meth=NULL;
409 int number=1,reuse=0;
411 #ifndef OPENSSL_NO_DH
413 int dhe1024 = 0, dhe1024dsa = 0;
415 #ifndef OPENSSL_NO_ECDH
421 clock_t s_time = 0, c_time = 0;
423 COMP_METHOD *cm = NULL;
424 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
425 int test_cipherlist = 0;
431 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
433 CRYPTO_set_locking_callback(lock_dbg_cb);
435 /* enable memory leak checking unless explicitly disabled */
436 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
438 CRYPTO_malloc_debug_init();
439 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
443 /* OPENSSL_DEBUG_MEMORY=off */
444 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
446 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
448 RAND_seed(rnd_seed, sizeof rnd_seed);
450 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
457 if (strcmp(*argv,"-server_auth") == 0)
459 else if (strcmp(*argv,"-client_auth") == 0)
461 else if (strcmp(*argv,"-proxy_auth") == 0)
463 if (--argc < 1) goto bad;
464 app_verify_arg.proxy_auth= *(++argv);
466 else if (strcmp(*argv,"-proxy_cond") == 0)
468 if (--argc < 1) goto bad;
469 app_verify_arg.proxy_cond= *(++argv);
471 else if (strcmp(*argv,"-v") == 0)
473 else if (strcmp(*argv,"-d") == 0)
475 else if (strcmp(*argv,"-reuse") == 0)
477 else if (strcmp(*argv,"-dhe1024") == 0)
479 #ifndef OPENSSL_NO_DH
482 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
485 else if (strcmp(*argv,"-dhe1024dsa") == 0)
487 #ifndef OPENSSL_NO_DH
490 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
493 else if (strcmp(*argv,"-no_dhe") == 0)
495 else if (strcmp(*argv,"-no_ecdhe") == 0)
497 else if (strcmp(*argv,"-ssl2") == 0)
499 else if (strcmp(*argv,"-tls1") == 0)
501 else if (strcmp(*argv,"-ssl3") == 0)
503 else if (strncmp(*argv,"-num",4) == 0)
505 if (--argc < 1) goto bad;
506 number= atoi(*(++argv));
507 if (number == 0) number=1;
509 else if (strcmp(*argv,"-bytes") == 0)
511 if (--argc < 1) goto bad;
512 bytes= atol(*(++argv));
513 if (bytes == 0L) bytes=1L;
515 if (argv[0][i-1] == 'k') bytes*=1024L;
516 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
518 else if (strcmp(*argv,"-cert") == 0)
520 if (--argc < 1) goto bad;
521 server_cert= *(++argv);
523 else if (strcmp(*argv,"-s_cert") == 0)
525 if (--argc < 1) goto bad;
526 server_cert= *(++argv);
528 else if (strcmp(*argv,"-key") == 0)
530 if (--argc < 1) goto bad;
531 server_key= *(++argv);
533 else if (strcmp(*argv,"-s_key") == 0)
535 if (--argc < 1) goto bad;
536 server_key= *(++argv);
538 else if (strcmp(*argv,"-c_cert") == 0)
540 if (--argc < 1) goto bad;
541 client_cert= *(++argv);
543 else if (strcmp(*argv,"-c_key") == 0)
545 if (--argc < 1) goto bad;
546 client_key= *(++argv);
548 else if (strcmp(*argv,"-cipher") == 0)
550 if (--argc < 1) goto bad;
553 else if (strcmp(*argv,"-CApath") == 0)
555 if (--argc < 1) goto bad;
558 else if (strcmp(*argv,"-CAfile") == 0)
560 if (--argc < 1) goto bad;
563 else if (strcmp(*argv,"-bio_pair") == 0)
567 else if (strcmp(*argv,"-f") == 0)
571 else if (strcmp(*argv,"-time") == 0)
575 else if (strcmp(*argv,"-zlib") == 0)
579 else if (strcmp(*argv,"-rle") == 0)
583 else if (strcmp(*argv,"-named_curve") == 0)
585 if (--argc < 1) goto bad;
586 #ifndef OPENSSL_NO_ECDH
587 named_curve = *(++argv);
589 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
593 else if (strcmp(*argv,"-app_verify") == 0)
595 app_verify_arg.app_verify = 1;
597 else if (strcmp(*argv,"-proxy") == 0)
599 app_verify_arg.allow_proxy_certs = 1;
601 else if (strcmp(*argv,"-test_cipherlist") == 0)
607 fprintf(stderr,"unknown option %s\n",*argv);
621 if (test_cipherlist == 1)
623 /* ensure that the cipher list are correctly sorted and exit */
624 if (do_test_cipherlist() == 0)
630 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
632 fprintf(stderr, "This case cannot work. Use -f to perform "
633 "the test anyway (and\n-d to see what happens), "
634 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
635 "to avoid protocol mismatch.\n");
643 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
646 if (number < 50 && !force)
647 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
650 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
653 SSL_load_error_strings();
655 if (comp == COMP_ZLIB) cm = COMP_zlib();
656 if (comp == COMP_RLE) cm = COMP_rle();
659 if (cm->type != NID_undef)
661 if (SSL_COMP_add_compression_method(comp, cm) != 0)
664 "Failed to add compression method\n");
665 ERR_print_errors_fp(stderr);
671 "Warning: %s compression not supported\n",
672 (comp == COMP_RLE ? "rle" :
673 (comp == COMP_ZLIB ? "zlib" :
675 ERR_print_errors_fp(stderr);
678 ssl_comp_methods = SSL_COMP_get_compression_methods();
679 fprintf(stderr, "Available compression methods:\n");
681 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
683 fprintf(stderr, " NONE\n");
685 for (j = 0; j < n; j++)
687 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
688 fprintf(stderr, " %d: %s\n", c->id, c->name);
692 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
702 meth=SSLv23_method();
704 #ifdef OPENSSL_NO_SSL2
711 c_ctx=SSL_CTX_new(meth);
712 s_ctx=SSL_CTX_new(meth);
713 if ((c_ctx == NULL) || (s_ctx == NULL))
715 ERR_print_errors(bio_err);
721 SSL_CTX_set_cipher_list(c_ctx,cipher);
722 SSL_CTX_set_cipher_list(s_ctx,cipher);
725 #ifndef OPENSSL_NO_DH
730 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
731 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
738 SSL_CTX_set_tmp_dh(s_ctx,dh);
745 #ifndef OPENSSL_NO_ECDH
750 if (named_curve != NULL)
752 nid = OBJ_sn2nid(named_curve);
755 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
762 ecdh = EC_KEY_new_by_curve_name(nid);
765 BIO_printf(bio_err, "unable to create curve\n");
769 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
770 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
777 #ifndef OPENSSL_NO_RSA
778 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
781 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
783 ERR_print_errors(bio_err);
785 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
786 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
788 ERR_print_errors(bio_err);
794 SSL_CTX_use_certificate_file(c_ctx,client_cert,
796 SSL_CTX_use_PrivateKey_file(c_ctx,
797 (client_key?client_key:client_cert),
801 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
802 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
803 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
804 (!SSL_CTX_set_default_verify_paths(c_ctx)))
806 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
807 ERR_print_errors(bio_err);
813 BIO_printf(bio_err,"client authentication\n");
814 SSL_CTX_set_verify(s_ctx,
815 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
817 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
821 BIO_printf(bio_err,"server authentication\n");
822 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
824 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
828 int session_id_context = 0;
829 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
832 c_ssl=SSL_new(c_ctx);
833 s_ssl=SSL_new(s_ctx);
835 #ifndef OPENSSL_NO_KRB5
836 if (c_ssl && c_ssl->kssl_ctx)
838 char localhost[MAXHOSTNAMELEN+2];
840 if (gethostname(localhost, sizeof localhost-1) == 0)
842 localhost[sizeof localhost-1]='\0';
843 if(strlen(localhost) == sizeof localhost-1)
845 BIO_printf(bio_err,"localhost name too long\n");
848 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
852 #endif /* OPENSSL_NO_KRB5 */
854 for (i=0; i<number; i++)
856 if (!reuse) SSL_set_session(c_ssl,NULL);
858 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
860 ret=doit(s_ssl,c_ssl,bytes);
865 print_details(c_ssl, "");
867 if ((number > 1) || (bytes > 1L))
868 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
871 #ifdef CLOCKS_PER_SEC
872 /* "To determine the time in seconds, the value returned
873 * by the clock function should be divided by the value
874 * of the macro CLOCKS_PER_SEC."
876 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
877 "Approximate total client time: %6.2f s\n",
878 (double)s_time/CLOCKS_PER_SEC,
879 (double)c_time/CLOCKS_PER_SEC);
881 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
882 * -- cc on NeXTstep/OpenStep */
883 BIO_printf(bio_stdout,
884 "Approximate total server time: %6.2f units\n"
885 "Approximate total client time: %6.2f units\n",
895 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
896 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
898 if (bio_stdout != NULL) BIO_free(bio_stdout);
900 #ifndef OPENSSL_NO_RSA
903 #ifndef OPENSSL_NO_ENGINE
906 CRYPTO_cleanup_all_ex_data();
910 CRYPTO_mem_leaks(bio_err);
911 if (bio_err != NULL) BIO_free(bio_err);
916 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
917 clock_t *s_time, clock_t *c_time)
919 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
920 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
921 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
924 size_t bufsiz = 256; /* small buffer for testing */
926 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
928 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
931 s_ssl_bio = BIO_new(BIO_f_ssl());
935 c_ssl_bio = BIO_new(BIO_f_ssl());
939 SSL_set_connect_state(c_ssl);
940 SSL_set_bio(c_ssl, client, client);
941 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
943 SSL_set_accept_state(s_ssl);
944 SSL_set_bio(s_ssl, server, server);
945 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
949 /* c_ssl_bio: SSL filter BIO
951 * client: pseudo-I/O for SSL library
953 * client_io: client's SSL communication; usually to be
954 * relayed over some I/O facility, but in this
955 * test program, we're the server, too:
957 * server_io: server's SSL communication
959 * server: pseudo-I/O for SSL library
961 * s_ssl_bio: SSL filter BIO
963 * The client and the server each employ a "BIO pair":
964 * client + client_io, server + server_io.
965 * BIO pairs are symmetric. A BIO pair behaves similar
966 * to a non-blocking socketpair (but both endpoints must
967 * be handled by the same thread).
968 * [Here we could connect client and server to the ends
969 * of a single BIO pair, but then this code would be less
970 * suitable as an example for BIO pairs in general.]
972 * Useful functions for querying the state of BIO pair endpoints:
974 * BIO_ctrl_pending(bio) number of bytes we can read now
975 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
976 * other side's read attempt
977 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
979 * ..._read_request is never more than ..._write_guarantee;
980 * it depends on the application which one you should use.
983 /* We have non-blocking behaviour throughout this test program, but
984 * can be sure that there is *some* progress in each iteration; so
985 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
986 * -- we just try everything in each iteration
992 MS_STATIC char cbuf[1024*8];
994 clock_t c_clock = clock();
996 memset(cbuf, 0, sizeof(cbuf));
999 if (SSL_in_init(c_ssl))
1000 printf("client waiting in SSL_connect - %s\n",
1001 SSL_state_string_long(c_ssl));
1005 /* Write to server. */
1007 if (cw_num > (long)sizeof cbuf)
1011 r = BIO_write(c_ssl_bio, cbuf, i);
1014 if (!BIO_should_retry(c_ssl_bio))
1016 fprintf(stderr,"ERROR in CLIENT\n");
1019 /* BIO_should_retry(...) can just be ignored here.
1020 * The library expects us to call BIO_write with
1021 * the same arguments again, and that's what we will
1022 * do in the next iteration. */
1026 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1032 printf("client wrote %d\n", r);
1039 /* Read from server. */
1041 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1044 if (!BIO_should_retry(c_ssl_bio))
1046 fprintf(stderr,"ERROR in CLIENT\n");
1049 /* Again, "BIO_should_retry" can be ignored. */
1053 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1059 printf("client read %d\n", r);
1064 /* c_time and s_time increments will typically be very small
1065 * (depending on machine speed and clock tick intervals),
1066 * but sampling over a large number of connections should
1067 * result in fairly accurate figures. We cannot guarantee
1068 * a lot, however -- if each connection lasts for exactly
1069 * one clock tick, it will be counted only for the client
1070 * or only for the server or even not at all.
1072 *c_time += (clock() - c_clock);
1078 MS_STATIC char sbuf[1024*8];
1080 clock_t s_clock = clock();
1082 memset(sbuf, 0, sizeof(sbuf));
1085 if (SSL_in_init(s_ssl))
1086 printf("server waiting in SSL_accept - %s\n",
1087 SSL_state_string_long(s_ssl));
1091 /* Write to client. */
1093 if (sw_num > (long)sizeof sbuf)
1097 r = BIO_write(s_ssl_bio, sbuf, i);
1100 if (!BIO_should_retry(s_ssl_bio))
1102 fprintf(stderr,"ERROR in SERVER\n");
1105 /* Ignore "BIO_should_retry". */
1109 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1115 printf("server wrote %d\n", r);
1122 /* Read from client. */
1124 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1127 if (!BIO_should_retry(s_ssl_bio))
1129 fprintf(stderr,"ERROR in SERVER\n");
1136 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1142 printf("server read %d\n", r);
1147 *s_time += (clock() - s_clock);
1151 /* "I/O" BETWEEN CLIENT AND SERVER. */
1154 BIO *io1 = server_io, *io2 = client_io;
1155 /* we use the non-copying interface for io1
1156 * and the standard BIO_write/BIO_read interface for io2
1159 static int prev_progress = 1;
1168 r1 = BIO_ctrl_pending(io1);
1169 r2 = BIO_ctrl_get_write_guarantee(io2);
1178 if (INT_MAX < num) /* yeah, right */
1181 r = BIO_nread(io1, &dataptr, (int)num);
1183 assert(r <= (int)num);
1184 /* possibly r < num (non-contiguous data) */
1186 r = BIO_write(io2, dataptr, (int)num);
1187 if (r != (int)num) /* can't happen */
1189 fprintf(stderr, "ERROR: BIO_write could not write "
1190 "BIO_ctrl_get_write_guarantee() bytes");
1196 printf((io1 == client_io) ?
1197 "C->S relaying: %d bytes\n" :
1198 "S->C relaying: %d bytes\n",
1209 r1 = BIO_ctrl_pending(io2);
1210 r2 = BIO_ctrl_get_read_request(io1);
1211 /* here we could use ..._get_write_guarantee instead of
1212 * ..._get_read_request, but by using the latter
1213 * we test restartability of the SSL implementation
1214 * more thoroughly */
1226 --num; /* test restartability even more thoroughly */
1228 r = BIO_nwrite0(io1, &dataptr);
1232 r = BIO_read(io2, dataptr, (int)num);
1233 if (r != (int)num) /* can't happen */
1235 fprintf(stderr, "ERROR: BIO_read could not read "
1236 "BIO_ctrl_pending() bytes");
1240 r = BIO_nwrite(io1, &dataptr, (int)num);
1241 if (r != (int)num) /* can't happen */
1243 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1244 "BIO_nwrite0() bytes");
1249 printf((io2 == client_io) ?
1250 "C->S relaying: %d bytes\n" :
1251 "S->C relaying: %d bytes\n",
1254 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1256 if (!progress && !prev_progress)
1257 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1259 fprintf(stderr, "ERROR: got stuck\n");
1260 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1262 fprintf(stderr, "This can happen for SSL2 because "
1263 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1264 "concurrently ...");
1265 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1266 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1268 fprintf(stderr, " ok.\n");
1272 fprintf(stderr, " ERROR.\n");
1275 prev_progress = progress;
1278 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1281 print_details(c_ssl, "DONE via BIO pair: ");
1286 ERR_print_errors(bio_err);
1291 BIO_free(server_io);
1295 BIO_free(client_io);
1297 BIO_free(s_ssl_bio);
1299 BIO_free(c_ssl_bio);
1310 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1312 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1313 long cw_num=count,cr_num=count;
1314 long sw_num=count,sr_num=count;
1320 int c_r,c_w,s_r,s_w;
1324 int c_write,s_write;
1325 int do_server=0,do_client=0;
1327 memset(cbuf,0,sizeof(cbuf));
1328 memset(sbuf,0,sizeof(sbuf));
1330 c_to_s=BIO_new(BIO_s_mem());
1331 s_to_c=BIO_new(BIO_s_mem());
1332 if ((s_to_c == NULL) || (c_to_s == NULL))
1334 ERR_print_errors(bio_err);
1338 c_bio=BIO_new(BIO_f_ssl());
1339 s_bio=BIO_new(BIO_f_ssl());
1340 if ((c_bio == NULL) || (s_bio == NULL))
1342 ERR_print_errors(bio_err);
1346 SSL_set_connect_state(c_ssl);
1347 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1348 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1350 SSL_set_accept_state(s_ssl);
1351 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1352 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1358 c_write=1,s_write=0;
1360 /* We can always do writes */
1366 i=(int)BIO_pending(s_bio);
1367 if ((i && s_r) || s_w) do_server=1;
1369 i=(int)BIO_pending(c_bio);
1370 if ((i && c_r) || c_w) do_client=1;
1372 if (do_server && debug)
1374 if (SSL_in_init(s_ssl))
1375 printf("server waiting in SSL_accept - %s\n",
1376 SSL_state_string_long(s_ssl));
1377 /* else if (s_write)
1378 printf("server:SSL_write()\n");
1380 printf("server:SSL_read()\n"); */
1383 if (do_client && debug)
1385 if (SSL_in_init(c_ssl))
1386 printf("client waiting in SSL_connect - %s\n",
1387 SSL_state_string_long(c_ssl));
1388 /* else if (c_write)
1389 printf("client:SSL_write()\n");
1391 printf("client:SSL_read()\n"); */
1394 if (!do_client && !do_server)
1396 fprintf(stdout,"ERROR IN STARTUP\n");
1397 ERR_print_errors(bio_err);
1400 if (do_client && !(done & C_DONE))
1404 j = (cw_num > (long)sizeof(cbuf)) ?
1405 (int)sizeof(cbuf) : (int)cw_num;
1406 i=BIO_write(c_bio,cbuf,j);
1411 if (BIO_should_retry(c_bio))
1413 if (BIO_should_read(c_bio))
1415 if (BIO_should_write(c_bio))
1420 fprintf(stderr,"ERROR in CLIENT\n");
1421 ERR_print_errors(bio_err);
1427 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1433 printf("client wrote %d\n",i);
1442 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1447 if (BIO_should_retry(c_bio))
1449 if (BIO_should_read(c_bio))
1451 if (BIO_should_write(c_bio))
1456 fprintf(stderr,"ERROR in CLIENT\n");
1457 ERR_print_errors(bio_err);
1463 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1469 printf("client read %d\n",i);
1486 if (do_server && !(done & S_DONE))
1490 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1495 if (BIO_should_retry(s_bio))
1497 if (BIO_should_read(s_bio))
1499 if (BIO_should_write(s_bio))
1504 fprintf(stderr,"ERROR in SERVER\n");
1505 ERR_print_errors(bio_err);
1511 ERR_print_errors(bio_err);
1512 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1518 printf("server read %d\n",i);
1535 j = (sw_num > (long)sizeof(sbuf)) ?
1536 (int)sizeof(sbuf) : (int)sw_num;
1537 i=BIO_write(s_bio,sbuf,j);
1542 if (BIO_should_retry(s_bio))
1544 if (BIO_should_read(s_bio))
1546 if (BIO_should_write(s_bio))
1551 fprintf(stderr,"ERROR in SERVER\n");
1552 ERR_print_errors(bio_err);
1558 ERR_print_errors(bio_err);
1559 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1565 printf("server wrote %d\n",i);
1575 if ((done & S_DONE) && (done & C_DONE)) break;
1579 print_details(c_ssl, "DONE: ");
1582 /* We have to set the BIO's to NULL otherwise they will be
1583 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1584 * again when c_ssl is SSL_free()ed.
1585 * This is a hack required because s_ssl and c_ssl are sharing the same
1586 * BIO structure and SSL_set_bio() and SSL_free() automatically
1587 * BIO_free non NULL entries.
1588 * You should not normally do this or be required to do this */
1600 if (c_to_s != NULL) BIO_free(c_to_s);
1601 if (s_to_c != NULL) BIO_free(s_to_c);
1602 if (c_bio != NULL) BIO_free_all(c_bio);
1603 if (s_bio != NULL) BIO_free_all(s_bio);
1607 static int get_proxy_auth_ex_data_idx(void)
1609 static volatile int idx = -1;
1612 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1615 idx = X509_STORE_CTX_get_ex_new_index(0,
1616 "SSLtest for verify callback", NULL,NULL,NULL);
1618 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1623 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1627 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1632 fprintf(stderr,"depth=%d %s\n",
1633 ctx->error_depth,buf);
1636 fprintf(stderr,"depth=%d error=%d %s\n",
1637 ctx->error_depth,ctx->error,buf);
1643 fprintf(stderr,"Error string: %s\n",
1644 X509_verify_cert_error_string(ctx->error));
1647 case X509_V_ERR_CERT_NOT_YET_VALID:
1648 case X509_V_ERR_CERT_HAS_EXPIRED:
1649 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1650 fprintf(stderr," ... ignored.\n");
1657 X509 *xs = ctx->current_cert;
1659 X509 *xi = ctx->current_issuer;
1662 if (xs->ex_flags & EXFLAG_PROXY)
1664 unsigned int *letters =
1665 X509_STORE_CTX_get_ex_data(ctx,
1666 get_proxy_auth_ex_data_idx());
1672 PROXY_CERT_INFO_EXTENSION *pci =
1673 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1676 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1678 case NID_Independent:
1679 /* Completely meaningless in this
1680 program, as there's no way to
1681 grant explicit rights to a
1682 specific PrC. Basically, using
1683 id-ppl-Independent is the perfect
1684 way to grant no rights at all. */
1685 fprintf(stderr, " Independent proxy certificate");
1686 for (i = 0; i < 26; i++)
1689 case NID_id_ppl_inheritAll:
1690 /* This is basically a NOP, we
1691 simply let the current rights
1692 stand as they are. */
1693 fprintf(stderr, " Proxy certificate inherits all");
1697 pci->proxyPolicy->policy->data;
1698 i = pci->proxyPolicy->policy->length;
1700 /* The algorithm works as follows:
1701 it is assumed that previous
1702 iterations or the initial granted
1703 rights has already set some elements
1704 of `letters'. What we need to do is
1705 to clear those that weren't granted
1706 by the current PrC as well. The
1707 easiest way to do this is to add 1
1708 to all the elements whose letters
1709 are given with the current policy.
1710 That way, all elements that are set
1711 by the current policy and were
1712 already set by earlier policies and
1713 through the original grant of rights
1714 will get the value 2 or higher.
1715 The last thing to do is to sweep
1716 through `letters' and keep the
1717 elements having the value 2 as set,
1718 and clear all the others. */
1720 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1724 if (isascii(c) && isalpha(c))
1731 for (i = 0; i < 26; i++)
1740 ", resulting proxy rights = ");
1741 for(i = 0; i < 26; i++)
1744 fprintf(stderr, "%c", i + 'A');
1748 fprintf(stderr, "none");
1749 fprintf(stderr, "\n");
1751 PROXY_CERT_INFO_EXTENSION_free(pci);
1759 static void process_proxy_debug(int indent, const char *format, ...)
1761 static const char indentation[] =
1762 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1763 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1764 char my_format[256];
1767 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1768 indent, indent, indentation, format);
1770 va_start(args, format);
1771 vfprintf(stderr, my_format, args);
1779 static int process_proxy_cond_adders(unsigned int letters[26],
1780 const char *cond, const char **cond_end, int *pos, int indent);
1781 static int process_proxy_cond_val(unsigned int letters[26],
1782 const char *cond, const char **cond_end, int *pos, int indent)
1788 while(isspace((int)*cond))
1795 process_proxy_debug(indent,
1796 "Start process_proxy_cond_val at position %d: %s\n",
1803 while(isspace((int)*cond))
1813 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1818 while(isspace((int)*cond))
1826 "Weird condition character in position %d: "
1833 else if (isascii(c) && isalpha(c))
1837 ok = letters[c - 'A'];
1843 "Weird condition character in position %d: "
1850 if (ok >= 0 && negate)
1854 process_proxy_debug(indent,
1855 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1860 static int process_proxy_cond_multipliers(unsigned int letters[26],
1861 const char *cond, const char **cond_end, int *pos, int indent)
1867 process_proxy_debug(indent,
1868 "Start process_proxy_cond_multipliers at position %d: %s\n",
1871 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1878 while(isspace((int)*cond))
1892 ok = process_proxy_cond_val(letters,
1893 cond, cond_end, pos, indent + 1);
1907 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1919 process_proxy_debug(indent,
1920 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1926 static int process_proxy_cond_adders(unsigned int letters[26],
1927 const char *cond, const char **cond_end, int *pos, int indent)
1933 process_proxy_debug(indent,
1934 "Start process_proxy_cond_adders at position %d: %s\n",
1937 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1945 while(isspace((int)*cond))
1958 ok = process_proxy_cond_multipliers(letters,
1959 cond, cond_end, pos, indent + 1);
1970 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1982 process_proxy_debug(indent,
1983 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1990 static int process_proxy_cond(unsigned int letters[26],
1991 const char *cond, const char **cond_end)
1994 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1997 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2000 struct app_verify_arg *cb_arg = arg;
2001 unsigned int letters[26]; /* only used with proxy_auth */
2003 if (cb_arg->app_verify)
2005 char *s = NULL,buf[256];
2007 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2008 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2009 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2010 (void *)ctx, (void *)ctx->cert);
2012 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2015 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2019 if (cb_arg->proxy_auth)
2021 int found_any = 0, i;
2024 for(i = 0; i < 26; i++)
2026 for(sp = cb_arg->proxy_auth; *sp; sp++)
2029 if (isascii(c) && isalpha(c))
2033 letters[c - 'A'] = 1;
2038 " Initial proxy rights = ");
2039 for(i = 0; i < 26; i++)
2042 fprintf(stderr, "%c", i + 'A');
2046 fprintf(stderr, "none");
2047 fprintf(stderr, "\n");
2049 X509_STORE_CTX_set_ex_data(ctx,
2050 get_proxy_auth_ex_data_idx(),letters);
2052 if (cb_arg->allow_proxy_certs)
2054 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2057 #ifndef OPENSSL_NO_X509_VERIFY
2058 # ifdef OPENSSL_FIPS
2059 if(s->version == TLS1_VERSION)
2062 ok = X509_verify_cert(ctx);
2063 # ifdef OPENSSL_FIPS
2064 if(s->version == TLS1_VERSION)
2069 if (cb_arg->proxy_auth)
2073 const char *cond_end = NULL;
2075 ok = process_proxy_cond(letters,
2076 cb_arg->proxy_cond, &cond_end);
2082 fprintf(stderr, "Stopped processing condition before it's end.\n");
2086 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2087 cb_arg->proxy_cond);
2089 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2090 cb_arg->proxy_cond);
2096 #ifndef OPENSSL_NO_RSA
2097 static RSA *rsa_tmp=NULL;
2099 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2102 if (rsa_tmp == NULL)
2105 rsa_tmp = RSA_new();
2106 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2108 BIO_printf(bio_err, "Memory error...");
2111 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2112 (void)BIO_flush(bio_err);
2113 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2115 BIO_printf(bio_err, "Error generating key.");
2120 BIO_printf(bio_err,"\n");
2121 (void)BIO_flush(bio_err);
2127 static void free_tmp_rsa(void)
2129 if (rsa_tmp != NULL)
2137 #ifndef OPENSSL_NO_DH
2138 /* These DH parameters have been generated as follows:
2139 * $ openssl dhparam -C -noout 512
2140 * $ openssl dhparam -C -noout 1024
2141 * $ openssl dhparam -C -noout -dsaparam 1024
2142 * (The third function has been renamed to avoid name conflicts.)
2144 static DH *get_dh512()
2146 static unsigned char dh512_p[]={
2147 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2148 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2149 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2150 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2151 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2152 0x02,0xC5,0xAE,0x23,
2154 static unsigned char dh512_g[]={
2159 if ((dh=DH_new()) == NULL) return(NULL);
2160 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2161 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2162 if ((dh->p == NULL) || (dh->g == NULL))
2163 { DH_free(dh); return(NULL); }
2167 static DH *get_dh1024()
2169 static unsigned char dh1024_p[]={
2170 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2171 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2172 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2173 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2174 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2175 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2176 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2177 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2178 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2179 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2180 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2182 static unsigned char dh1024_g[]={
2187 if ((dh=DH_new()) == NULL) return(NULL);
2188 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2189 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2190 if ((dh->p == NULL) || (dh->g == NULL))
2191 { DH_free(dh); return(NULL); }
2195 static DH *get_dh1024dsa()
2197 static unsigned char dh1024_p[]={
2198 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2199 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2200 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2201 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2202 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2203 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2204 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2205 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2206 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2207 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2208 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2210 static unsigned char dh1024_g[]={
2211 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2212 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2213 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2214 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2215 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2216 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2217 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2218 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2219 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2220 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2221 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2225 if ((dh=DH_new()) == NULL) return(NULL);
2226 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2227 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2228 if ((dh->p == NULL) || (dh->g == NULL))
2229 { DH_free(dh); return(NULL); }
2234 static int do_test_cipherlist(void)
2237 const SSL_METHOD *meth;
2238 SSL_CIPHER *ci, *tci = NULL;
2240 fprintf(stderr, "testing SSLv2 cipher list order: ");
2241 meth = SSLv2_method();
2242 while ((ci = meth->get_cipher(i++)) != NULL)
2245 if (ci->id >= tci->id)
2247 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2252 fprintf(stderr, "ok\n");
2254 fprintf(stderr, "testing SSLv3 cipher list order: ");
2255 meth = SSLv3_method();
2257 while ((ci = meth->get_cipher(i++)) != NULL)
2260 if (ci->id >= tci->id)
2262 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2267 fprintf(stderr, "ok\n");
2269 fprintf(stderr, "testing TLSv1 cipher list order: ");
2270 meth = TLSv1_method();
2272 while ((ci = meth->get_cipher(i++)) != NULL)
2275 if (ci->id >= tci->id)
2277 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2282 fprintf(stderr, "ok\n");