2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
146 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
147 VMS (at least with DECompHP C). */
162 #include <openssl/bio.h>
163 #include <openssl/crypto.h>
164 #include <openssl/evp.h>
165 #include <openssl/x509.h>
166 #include <openssl/x509v3.h>
167 #include <openssl/ssl.h>
168 #ifndef OPENSSL_NO_ENGINE
169 #include <openssl/engine.h>
171 #include <openssl/err.h>
172 #include <openssl/rand.h>
173 #ifndef OPENSSL_NO_RSA
174 #include <openssl/rsa.h>
176 #ifndef OPENSSL_NO_DSA
177 #include <openssl/dsa.h>
179 #ifndef OPENSSL_NO_DH
180 #include <openssl/dh.h>
182 #include <openssl/bn.h>
184 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
185 on Compaq platforms (at least with DEC C).
186 Do not try to put it earlier, or IPv6 includes
190 #ifdef OPENSSL_SYS_WINDOWS
193 #include OPENSSL_UNISTD
196 #ifdef OPENSSL_SYS_VMS
197 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
198 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
199 #elif defined(OPENSSL_SYS_WINCE)
200 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
201 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
202 #elif defined(OPENSSL_SYS_NETWARE)
203 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
204 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
206 # define TEST_SERVER_CERT "../apps/server.pem"
207 # define TEST_CLIENT_CERT "../apps/client.pem"
210 /* There is really no standard for this, so let's assign some tentative
211 numbers. In any case, these numbers are only for this test */
215 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
216 #ifndef OPENSSL_NO_RSA
217 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
218 static void free_tmp_rsa(void);
220 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
221 #define APP_CALLBACK_STRING "Test Callback Argument"
222 struct app_verify_arg
226 int allow_proxy_certs;
231 #ifndef OPENSSL_NO_DH
232 static DH *get_dh512(void);
233 static DH *get_dh1024(void);
234 static DH *get_dh1024dsa(void);
238 static char *psk_key=NULL; /* by default PSK is not used */
239 #ifndef OPENSSL_NO_PSK
240 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
241 unsigned int max_identity_len, unsigned char *psk,
242 unsigned int max_psk_len);
243 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
244 unsigned int max_psk_len);
247 static BIO *bio_err=NULL;
248 static BIO *bio_stdout=NULL;
250 static char *cipher=NULL;
251 static int verbose=0;
260 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
262 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
263 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
264 static int do_test_cipherlist(void);
265 static void sv_usage(void)
267 fprintf(stderr,"usage: ssltest [args ...]\n");
268 fprintf(stderr,"\n");
269 fprintf(stderr," -server_auth - check server certificate\n");
270 fprintf(stderr," -client_auth - do client authentication\n");
271 fprintf(stderr," -proxy - allow proxy certificates\n");
272 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
273 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
274 fprintf(stderr," -v - more output\n");
275 fprintf(stderr," -d - debug output\n");
276 fprintf(stderr," -reuse - use session-id reuse\n");
277 fprintf(stderr," -num <val> - number of connections to perform\n");
278 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
279 #ifndef OPENSSL_NO_DH
280 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
281 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
282 fprintf(stderr," -no_dhe - disable DHE\n");
284 #ifndef OPENSSL_NO_ECDH
285 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
287 #ifndef OPENSSL_NO_PSK
288 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
290 #ifndef OPENSSL_NO_SSL2
291 fprintf(stderr," -ssl2 - use SSLv2\n");
293 #ifndef OPENSSL_NO_SSL3
294 fprintf(stderr," -ssl3 - use SSLv3\n");
296 #ifndef OPENSSL_NO_TLS1
297 fprintf(stderr," -tls1 - use TLSv1\n");
299 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
300 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
301 fprintf(stderr," -cert arg - Server certificate file\n");
302 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
303 fprintf(stderr," -c_cert arg - Client certificate file\n");
304 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
305 fprintf(stderr," -cipher arg - The cipher list\n");
306 fprintf(stderr," -bio_pair - Use BIO pairs\n");
307 fprintf(stderr," -f - Test even cases that can't work\n");
308 fprintf(stderr," -time - measure processor time used by client and server\n");
309 fprintf(stderr," -zlib - use zlib compression\n");
310 fprintf(stderr," -rle - use rle compression\n");
311 #ifndef OPENSSL_NO_ECDH
312 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
313 " Use \"openssl ecparam -list_curves\" for all names\n" \
314 " (default is sect163r2).\n");
316 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
319 static void print_details(SSL *c_ssl, const char *prefix)
321 const SSL_CIPHER *ciph;
324 ciph=SSL_get_current_cipher(c_ssl);
325 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
327 SSL_get_version(c_ssl),
328 SSL_CIPHER_get_version(ciph),
329 SSL_CIPHER_get_name(ciph));
330 cert=SSL_get_peer_certificate(c_ssl);
333 EVP_PKEY *pkey = X509_get_pubkey(cert);
338 #ifndef OPENSSL_NO_RSA
339 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
340 && pkey->pkey.rsa->n != NULL)
342 BIO_printf(bio_stdout, ", %d bit RSA",
343 BN_num_bits(pkey->pkey.rsa->n));
346 #ifndef OPENSSL_NO_DSA
347 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
348 && pkey->pkey.dsa->p != NULL)
350 BIO_printf(bio_stdout, ", %d bit DSA",
351 BN_num_bits(pkey->pkey.dsa->p));
358 /* The SSL API does not allow us to look at temporary RSA/DH keys,
359 * otherwise we should print their lengths too */
360 BIO_printf(bio_stdout,"\n");
363 static void lock_dbg_cb(int mode, int type, const char *file, int line)
365 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
366 const char *errstr = NULL;
369 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
370 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
372 errstr = "invalid mode";
376 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
378 errstr = "type out of bounds";
382 if (mode & CRYPTO_LOCK)
386 errstr = "already locked";
387 /* must not happen in a single-threaded program
388 * (would deadlock) */
394 else if (mode & CRYPTO_UNLOCK)
398 errstr = "not locked";
402 if (modes[type] != rw)
404 errstr = (rw == CRYPTO_READ) ?
405 "CRYPTO_r_unlock on write lock" :
406 "CRYPTO_w_unlock on read lock";
413 errstr = "invalid mode";
420 /* we cannot use bio_err here */
421 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
422 errstr, mode, type, file, line);
426 #ifdef TLSEXT_TYPE_opaque_prf_input
427 struct cb_info_st { void *input; size_t len; int ret; };
428 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
429 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
430 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
431 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
433 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
435 struct cb_info_st *arg = arg_;
440 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
446 int main(int argc, char *argv[])
448 char *CApath=NULL,*CAfile=NULL;
452 int tls1=0,ssl2=0,ssl3=0,ret=1;
455 struct app_verify_arg app_verify_arg =
456 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
457 char *server_cert=TEST_SERVER_CERT;
458 char *server_key=NULL;
459 char *client_cert=TEST_CLIENT_CERT;
460 char *client_key=NULL;
461 #ifndef OPENSSL_NO_ECDH
462 char *named_curve = NULL;
466 const SSL_METHOD *meth=NULL;
468 int number=1,reuse=0;
470 #ifndef OPENSSL_NO_DH
472 int dhe1024 = 0, dhe1024dsa = 0;
474 #ifndef OPENSSL_NO_ECDH
481 clock_t s_time = 0, c_time = 0;
483 #ifndef OPENSSL_NO_COMP
484 COMP_METHOD *cm = NULL;
486 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
487 int test_cipherlist = 0;
493 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
495 CRYPTO_set_locking_callback(lock_dbg_cb);
497 /* enable memory leak checking unless explicitly disabled */
498 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
500 CRYPTO_malloc_debug_init();
501 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
505 /* OPENSSL_DEBUG_MEMORY=off */
506 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
508 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
510 RAND_seed(rnd_seed, sizeof rnd_seed);
512 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
519 if (strcmp(*argv,"-server_auth") == 0)
521 else if (strcmp(*argv,"-client_auth") == 0)
523 else if (strcmp(*argv,"-proxy_auth") == 0)
525 if (--argc < 1) goto bad;
526 app_verify_arg.proxy_auth= *(++argv);
528 else if (strcmp(*argv,"-proxy_cond") == 0)
530 if (--argc < 1) goto bad;
531 app_verify_arg.proxy_cond= *(++argv);
533 else if (strcmp(*argv,"-v") == 0)
535 else if (strcmp(*argv,"-d") == 0)
537 else if (strcmp(*argv,"-reuse") == 0)
539 else if (strcmp(*argv,"-dhe1024") == 0)
541 #ifndef OPENSSL_NO_DH
544 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
547 else if (strcmp(*argv,"-dhe1024dsa") == 0)
549 #ifndef OPENSSL_NO_DH
552 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
555 else if (strcmp(*argv,"-no_dhe") == 0)
557 else if (strcmp(*argv,"-no_ecdhe") == 0)
559 else if (strcmp(*argv,"-psk") == 0)
561 if (--argc < 1) goto bad;
563 #ifndef OPENSSL_NO_PSK
564 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
566 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
573 else if (strcmp(*argv,"-ssl2") == 0)
575 else if (strcmp(*argv,"-tls1") == 0)
577 else if (strcmp(*argv,"-ssl3") == 0)
579 else if (strncmp(*argv,"-num",4) == 0)
581 if (--argc < 1) goto bad;
582 number= atoi(*(++argv));
583 if (number == 0) number=1;
585 else if (strcmp(*argv,"-bytes") == 0)
587 if (--argc < 1) goto bad;
588 bytes= atol(*(++argv));
589 if (bytes == 0L) bytes=1L;
591 if (argv[0][i-1] == 'k') bytes*=1024L;
592 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
594 else if (strcmp(*argv,"-cert") == 0)
596 if (--argc < 1) goto bad;
597 server_cert= *(++argv);
599 else if (strcmp(*argv,"-s_cert") == 0)
601 if (--argc < 1) goto bad;
602 server_cert= *(++argv);
604 else if (strcmp(*argv,"-key") == 0)
606 if (--argc < 1) goto bad;
607 server_key= *(++argv);
609 else if (strcmp(*argv,"-s_key") == 0)
611 if (--argc < 1) goto bad;
612 server_key= *(++argv);
614 else if (strcmp(*argv,"-c_cert") == 0)
616 if (--argc < 1) goto bad;
617 client_cert= *(++argv);
619 else if (strcmp(*argv,"-c_key") == 0)
621 if (--argc < 1) goto bad;
622 client_key= *(++argv);
624 else if (strcmp(*argv,"-cipher") == 0)
626 if (--argc < 1) goto bad;
629 else if (strcmp(*argv,"-CApath") == 0)
631 if (--argc < 1) goto bad;
634 else if (strcmp(*argv,"-CAfile") == 0)
636 if (--argc < 1) goto bad;
639 else if (strcmp(*argv,"-bio_pair") == 0)
643 else if (strcmp(*argv,"-f") == 0)
647 else if (strcmp(*argv,"-time") == 0)
651 else if (strcmp(*argv,"-zlib") == 0)
655 else if (strcmp(*argv,"-rle") == 0)
659 else if (strcmp(*argv,"-named_curve") == 0)
661 if (--argc < 1) goto bad;
662 #ifndef OPENSSL_NO_ECDH
663 named_curve = *(++argv);
665 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
669 else if (strcmp(*argv,"-app_verify") == 0)
671 app_verify_arg.app_verify = 1;
673 else if (strcmp(*argv,"-proxy") == 0)
675 app_verify_arg.allow_proxy_certs = 1;
677 else if (strcmp(*argv,"-test_cipherlist") == 0)
683 fprintf(stderr,"unknown option %s\n",*argv);
697 if (test_cipherlist == 1)
699 /* ensure that the cipher list are correctly sorted and exit */
700 if (do_test_cipherlist() == 0)
706 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
708 fprintf(stderr, "This case cannot work. Use -f to perform "
709 "the test anyway (and\n-d to see what happens), "
710 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
711 "to avoid protocol mismatch.\n");
719 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
722 if (number < 50 && !force)
723 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
726 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
729 SSL_load_error_strings();
731 #ifndef OPENSSL_NO_COMP
732 if (comp == COMP_ZLIB) cm = COMP_zlib();
733 if (comp == COMP_RLE) cm = COMP_rle();
736 if (cm->type != NID_undef)
738 if (SSL_COMP_add_compression_method(comp, cm) != 0)
741 "Failed to add compression method\n");
742 ERR_print_errors_fp(stderr);
748 "Warning: %s compression not supported\n",
749 (comp == COMP_RLE ? "rle" :
750 (comp == COMP_ZLIB ? "zlib" :
752 ERR_print_errors_fp(stderr);
755 ssl_comp_methods = SSL_COMP_get_compression_methods();
756 fprintf(stderr, "Available compression methods:\n");
758 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
760 fprintf(stderr, " NONE\n");
762 for (j = 0; j < n; j++)
764 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
765 fprintf(stderr, " %d: %s\n", c->id, c->name);
770 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
780 meth=SSLv23_method();
782 #ifdef OPENSSL_NO_SSL2
789 c_ctx=SSL_CTX_new(meth);
790 s_ctx=SSL_CTX_new(meth);
791 if ((c_ctx == NULL) || (s_ctx == NULL))
793 ERR_print_errors(bio_err);
799 SSL_CTX_set_cipher_list(c_ctx,cipher);
800 SSL_CTX_set_cipher_list(s_ctx,cipher);
803 #ifndef OPENSSL_NO_DH
808 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
809 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
816 SSL_CTX_set_tmp_dh(s_ctx,dh);
823 #ifndef OPENSSL_NO_ECDH
828 if (named_curve != NULL)
830 nid = OBJ_sn2nid(named_curve);
833 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
840 ecdh = EC_KEY_new_by_curve_name(nid);
843 BIO_printf(bio_err, "unable to create curve\n");
847 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
848 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
855 #ifndef OPENSSL_NO_RSA
856 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
859 #ifdef TLSEXT_TYPE_opaque_prf_input
860 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
861 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
862 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
863 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
866 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
868 ERR_print_errors(bio_err);
870 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
871 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
873 ERR_print_errors(bio_err);
879 SSL_CTX_use_certificate_file(c_ctx,client_cert,
881 SSL_CTX_use_PrivateKey_file(c_ctx,
882 (client_key?client_key:client_cert),
886 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
887 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
888 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
889 (!SSL_CTX_set_default_verify_paths(c_ctx)))
891 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
892 ERR_print_errors(bio_err);
898 BIO_printf(bio_err,"client authentication\n");
899 SSL_CTX_set_verify(s_ctx,
900 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
902 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
906 BIO_printf(bio_err,"server authentication\n");
907 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
909 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
913 int session_id_context = 0;
914 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
917 /* Use PSK only if PSK key is given */
920 /* no_psk is used to avoid putting psk command to openssl tool */
923 /* if PSK is not compiled in and psk key is
924 * given, do nothing and exit successfully */
928 #ifndef OPENSSL_NO_PSK
929 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
930 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
932 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
933 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
935 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
936 ERR_print_errors(bio_err);
942 c_ssl=SSL_new(c_ctx);
943 s_ssl=SSL_new(s_ctx);
945 #ifndef OPENSSL_NO_KRB5
946 if (c_ssl && c_ssl->kssl_ctx)
948 char localhost[MAXHOSTNAMELEN+2];
950 if (gethostname(localhost, sizeof localhost-1) == 0)
952 localhost[sizeof localhost-1]='\0';
953 if(strlen(localhost) == sizeof localhost-1)
955 BIO_printf(bio_err,"localhost name too long\n");
958 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
962 #endif /* OPENSSL_NO_KRB5 */
964 for (i=0; i<number; i++)
966 if (!reuse) SSL_set_session(c_ssl,NULL);
968 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
970 ret=doit(s_ssl,c_ssl,bytes);
975 print_details(c_ssl, "");
977 if ((number > 1) || (bytes > 1L))
978 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
981 #ifdef CLOCKS_PER_SEC
982 /* "To determine the time in seconds, the value returned
983 * by the clock function should be divided by the value
984 * of the macro CLOCKS_PER_SEC."
986 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
987 "Approximate total client time: %6.2f s\n",
988 (double)s_time/CLOCKS_PER_SEC,
989 (double)c_time/CLOCKS_PER_SEC);
991 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
992 * -- cc on NeXTstep/OpenStep */
993 BIO_printf(bio_stdout,
994 "Approximate total server time: %6.2f units\n"
995 "Approximate total client time: %6.2f units\n",
1005 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1006 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1008 if (bio_stdout != NULL) BIO_free(bio_stdout);
1010 #ifndef OPENSSL_NO_RSA
1013 #ifndef OPENSSL_NO_ENGINE
1016 CRYPTO_cleanup_all_ex_data();
1018 ERR_remove_thread_state(NULL);
1020 CRYPTO_mem_leaks(bio_err);
1021 if (bio_err != NULL) BIO_free(bio_err);
1026 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1027 clock_t *s_time, clock_t *c_time)
1029 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1030 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1031 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1034 size_t bufsiz = 256; /* small buffer for testing */
1036 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1038 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1041 s_ssl_bio = BIO_new(BIO_f_ssl());
1045 c_ssl_bio = BIO_new(BIO_f_ssl());
1049 SSL_set_connect_state(c_ssl);
1050 SSL_set_bio(c_ssl, client, client);
1051 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1053 SSL_set_accept_state(s_ssl);
1054 SSL_set_bio(s_ssl, server, server);
1055 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1059 /* c_ssl_bio: SSL filter BIO
1061 * client: pseudo-I/O for SSL library
1063 * client_io: client's SSL communication; usually to be
1064 * relayed over some I/O facility, but in this
1065 * test program, we're the server, too:
1067 * server_io: server's SSL communication
1069 * server: pseudo-I/O for SSL library
1071 * s_ssl_bio: SSL filter BIO
1073 * The client and the server each employ a "BIO pair":
1074 * client + client_io, server + server_io.
1075 * BIO pairs are symmetric. A BIO pair behaves similar
1076 * to a non-blocking socketpair (but both endpoints must
1077 * be handled by the same thread).
1078 * [Here we could connect client and server to the ends
1079 * of a single BIO pair, but then this code would be less
1080 * suitable as an example for BIO pairs in general.]
1082 * Useful functions for querying the state of BIO pair endpoints:
1084 * BIO_ctrl_pending(bio) number of bytes we can read now
1085 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1086 * other side's read attempt
1087 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1089 * ..._read_request is never more than ..._write_guarantee;
1090 * it depends on the application which one you should use.
1093 /* We have non-blocking behaviour throughout this test program, but
1094 * can be sure that there is *some* progress in each iteration; so
1095 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1096 * -- we just try everything in each iteration
1102 MS_STATIC char cbuf[1024*8];
1104 clock_t c_clock = clock();
1106 memset(cbuf, 0, sizeof(cbuf));
1109 if (SSL_in_init(c_ssl))
1110 printf("client waiting in SSL_connect - %s\n",
1111 SSL_state_string_long(c_ssl));
1115 /* Write to server. */
1117 if (cw_num > (long)sizeof cbuf)
1121 r = BIO_write(c_ssl_bio, cbuf, i);
1124 if (!BIO_should_retry(c_ssl_bio))
1126 fprintf(stderr,"ERROR in CLIENT\n");
1129 /* BIO_should_retry(...) can just be ignored here.
1130 * The library expects us to call BIO_write with
1131 * the same arguments again, and that's what we will
1132 * do in the next iteration. */
1136 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1142 printf("client wrote %d\n", r);
1149 /* Read from server. */
1151 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1154 if (!BIO_should_retry(c_ssl_bio))
1156 fprintf(stderr,"ERROR in CLIENT\n");
1159 /* Again, "BIO_should_retry" can be ignored. */
1163 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1169 printf("client read %d\n", r);
1174 /* c_time and s_time increments will typically be very small
1175 * (depending on machine speed and clock tick intervals),
1176 * but sampling over a large number of connections should
1177 * result in fairly accurate figures. We cannot guarantee
1178 * a lot, however -- if each connection lasts for exactly
1179 * one clock tick, it will be counted only for the client
1180 * or only for the server or even not at all.
1182 *c_time += (clock() - c_clock);
1188 MS_STATIC char sbuf[1024*8];
1190 clock_t s_clock = clock();
1192 memset(sbuf, 0, sizeof(sbuf));
1195 if (SSL_in_init(s_ssl))
1196 printf("server waiting in SSL_accept - %s\n",
1197 SSL_state_string_long(s_ssl));
1201 /* Write to client. */
1203 if (sw_num > (long)sizeof sbuf)
1207 r = BIO_write(s_ssl_bio, sbuf, i);
1210 if (!BIO_should_retry(s_ssl_bio))
1212 fprintf(stderr,"ERROR in SERVER\n");
1215 /* Ignore "BIO_should_retry". */
1219 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1225 printf("server wrote %d\n", r);
1232 /* Read from client. */
1234 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1237 if (!BIO_should_retry(s_ssl_bio))
1239 fprintf(stderr,"ERROR in SERVER\n");
1246 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1252 printf("server read %d\n", r);
1257 *s_time += (clock() - s_clock);
1261 /* "I/O" BETWEEN CLIENT AND SERVER. */
1264 BIO *io1 = server_io, *io2 = client_io;
1265 /* we use the non-copying interface for io1
1266 * and the standard BIO_write/BIO_read interface for io2
1269 static int prev_progress = 1;
1278 r1 = BIO_ctrl_pending(io1);
1279 r2 = BIO_ctrl_get_write_guarantee(io2);
1288 if (INT_MAX < num) /* yeah, right */
1291 r = BIO_nread(io1, &dataptr, (int)num);
1293 assert(r <= (int)num);
1294 /* possibly r < num (non-contiguous data) */
1296 r = BIO_write(io2, dataptr, (int)num);
1297 if (r != (int)num) /* can't happen */
1299 fprintf(stderr, "ERROR: BIO_write could not write "
1300 "BIO_ctrl_get_write_guarantee() bytes");
1306 printf((io1 == client_io) ?
1307 "C->S relaying: %d bytes\n" :
1308 "S->C relaying: %d bytes\n",
1319 r1 = BIO_ctrl_pending(io2);
1320 r2 = BIO_ctrl_get_read_request(io1);
1321 /* here we could use ..._get_write_guarantee instead of
1322 * ..._get_read_request, but by using the latter
1323 * we test restartability of the SSL implementation
1324 * more thoroughly */
1336 --num; /* test restartability even more thoroughly */
1338 r = BIO_nwrite0(io1, &dataptr);
1342 r = BIO_read(io2, dataptr, (int)num);
1343 if (r != (int)num) /* can't happen */
1345 fprintf(stderr, "ERROR: BIO_read could not read "
1346 "BIO_ctrl_pending() bytes");
1350 r = BIO_nwrite(io1, &dataptr, (int)num);
1351 if (r != (int)num) /* can't happen */
1353 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1354 "BIO_nwrite0() bytes");
1359 printf((io2 == client_io) ?
1360 "C->S relaying: %d bytes\n" :
1361 "S->C relaying: %d bytes\n",
1364 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1366 if (!progress && !prev_progress)
1367 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1369 fprintf(stderr, "ERROR: got stuck\n");
1370 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1372 fprintf(stderr, "This can happen for SSL2 because "
1373 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1374 "concurrently ...");
1375 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1376 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1378 fprintf(stderr, " ok.\n");
1382 fprintf(stderr, " ERROR.\n");
1385 prev_progress = progress;
1388 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1391 print_details(c_ssl, "DONE via BIO pair: ");
1396 ERR_print_errors(bio_err);
1401 BIO_free(server_io);
1405 BIO_free(client_io);
1407 BIO_free(s_ssl_bio);
1409 BIO_free(c_ssl_bio);
1420 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1422 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1423 long cw_num=count,cr_num=count;
1424 long sw_num=count,sr_num=count;
1430 int c_r,c_w,s_r,s_w;
1434 int c_write,s_write;
1435 int do_server=0,do_client=0;
1437 memset(cbuf,0,sizeof(cbuf));
1438 memset(sbuf,0,sizeof(sbuf));
1440 c_to_s=BIO_new(BIO_s_mem());
1441 s_to_c=BIO_new(BIO_s_mem());
1442 if ((s_to_c == NULL) || (c_to_s == NULL))
1444 ERR_print_errors(bio_err);
1448 c_bio=BIO_new(BIO_f_ssl());
1449 s_bio=BIO_new(BIO_f_ssl());
1450 if ((c_bio == NULL) || (s_bio == NULL))
1452 ERR_print_errors(bio_err);
1456 SSL_set_connect_state(c_ssl);
1457 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1458 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1460 SSL_set_accept_state(s_ssl);
1461 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1462 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1468 c_write=1,s_write=0;
1470 /* We can always do writes */
1476 i=(int)BIO_pending(s_bio);
1477 if ((i && s_r) || s_w) do_server=1;
1479 i=(int)BIO_pending(c_bio);
1480 if ((i && c_r) || c_w) do_client=1;
1482 if (do_server && debug)
1484 if (SSL_in_init(s_ssl))
1485 printf("server waiting in SSL_accept - %s\n",
1486 SSL_state_string_long(s_ssl));
1487 /* else if (s_write)
1488 printf("server:SSL_write()\n");
1490 printf("server:SSL_read()\n"); */
1493 if (do_client && debug)
1495 if (SSL_in_init(c_ssl))
1496 printf("client waiting in SSL_connect - %s\n",
1497 SSL_state_string_long(c_ssl));
1498 /* else if (c_write)
1499 printf("client:SSL_write()\n");
1501 printf("client:SSL_read()\n"); */
1504 if (!do_client && !do_server)
1506 fprintf(stdout,"ERROR IN STARTUP\n");
1507 ERR_print_errors(bio_err);
1510 if (do_client && !(done & C_DONE))
1514 j = (cw_num > (long)sizeof(cbuf)) ?
1515 (int)sizeof(cbuf) : (int)cw_num;
1516 i=BIO_write(c_bio,cbuf,j);
1521 if (BIO_should_retry(c_bio))
1523 if (BIO_should_read(c_bio))
1525 if (BIO_should_write(c_bio))
1530 fprintf(stderr,"ERROR in CLIENT\n");
1531 ERR_print_errors(bio_err);
1537 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1543 printf("client wrote %d\n",i);
1552 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1557 if (BIO_should_retry(c_bio))
1559 if (BIO_should_read(c_bio))
1561 if (BIO_should_write(c_bio))
1566 fprintf(stderr,"ERROR in CLIENT\n");
1567 ERR_print_errors(bio_err);
1573 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1579 printf("client read %d\n",i);
1596 if (do_server && !(done & S_DONE))
1600 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1605 if (BIO_should_retry(s_bio))
1607 if (BIO_should_read(s_bio))
1609 if (BIO_should_write(s_bio))
1614 fprintf(stderr,"ERROR in SERVER\n");
1615 ERR_print_errors(bio_err);
1621 ERR_print_errors(bio_err);
1622 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1628 printf("server read %d\n",i);
1645 j = (sw_num > (long)sizeof(sbuf)) ?
1646 (int)sizeof(sbuf) : (int)sw_num;
1647 i=BIO_write(s_bio,sbuf,j);
1652 if (BIO_should_retry(s_bio))
1654 if (BIO_should_read(s_bio))
1656 if (BIO_should_write(s_bio))
1661 fprintf(stderr,"ERROR in SERVER\n");
1662 ERR_print_errors(bio_err);
1668 ERR_print_errors(bio_err);
1669 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1675 printf("server wrote %d\n",i);
1685 if ((done & S_DONE) && (done & C_DONE)) break;
1689 print_details(c_ssl, "DONE: ");
1692 /* We have to set the BIO's to NULL otherwise they will be
1693 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1694 * again when c_ssl is SSL_free()ed.
1695 * This is a hack required because s_ssl and c_ssl are sharing the same
1696 * BIO structure and SSL_set_bio() and SSL_free() automatically
1697 * BIO_free non NULL entries.
1698 * You should not normally do this or be required to do this */
1710 if (c_to_s != NULL) BIO_free(c_to_s);
1711 if (s_to_c != NULL) BIO_free(s_to_c);
1712 if (c_bio != NULL) BIO_free_all(c_bio);
1713 if (s_bio != NULL) BIO_free_all(s_bio);
1717 static int get_proxy_auth_ex_data_idx(void)
1719 static volatile int idx = -1;
1722 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1725 idx = X509_STORE_CTX_get_ex_new_index(0,
1726 "SSLtest for verify callback", NULL,NULL,NULL);
1728 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1733 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1737 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1742 fprintf(stderr,"depth=%d %s\n",
1743 ctx->error_depth,buf);
1746 fprintf(stderr,"depth=%d error=%d %s\n",
1747 ctx->error_depth,ctx->error,buf);
1753 fprintf(stderr,"Error string: %s\n",
1754 X509_verify_cert_error_string(ctx->error));
1757 case X509_V_ERR_CERT_NOT_YET_VALID:
1758 case X509_V_ERR_CERT_HAS_EXPIRED:
1759 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1760 fprintf(stderr," ... ignored.\n");
1767 X509 *xs = ctx->current_cert;
1769 X509 *xi = ctx->current_issuer;
1772 if (xs->ex_flags & EXFLAG_PROXY)
1774 unsigned int *letters =
1775 X509_STORE_CTX_get_ex_data(ctx,
1776 get_proxy_auth_ex_data_idx());
1782 PROXY_CERT_INFO_EXTENSION *pci =
1783 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1786 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1788 case NID_Independent:
1789 /* Completely meaningless in this
1790 program, as there's no way to
1791 grant explicit rights to a
1792 specific PrC. Basically, using
1793 id-ppl-Independent is the perfect
1794 way to grant no rights at all. */
1795 fprintf(stderr, " Independent proxy certificate");
1796 for (i = 0; i < 26; i++)
1799 case NID_id_ppl_inheritAll:
1800 /* This is basically a NOP, we
1801 simply let the current rights
1802 stand as they are. */
1803 fprintf(stderr, " Proxy certificate inherits all");
1807 pci->proxyPolicy->policy->data;
1808 i = pci->proxyPolicy->policy->length;
1810 /* The algorithm works as follows:
1811 it is assumed that previous
1812 iterations or the initial granted
1813 rights has already set some elements
1814 of `letters'. What we need to do is
1815 to clear those that weren't granted
1816 by the current PrC as well. The
1817 easiest way to do this is to add 1
1818 to all the elements whose letters
1819 are given with the current policy.
1820 That way, all elements that are set
1821 by the current policy and were
1822 already set by earlier policies and
1823 through the original grant of rights
1824 will get the value 2 or higher.
1825 The last thing to do is to sweep
1826 through `letters' and keep the
1827 elements having the value 2 as set,
1828 and clear all the others. */
1830 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1834 if (isascii(c) && isalpha(c))
1841 for (i = 0; i < 26; i++)
1850 ", resulting proxy rights = ");
1851 for(i = 0; i < 26; i++)
1854 fprintf(stderr, "%c", i + 'A');
1858 fprintf(stderr, "none");
1859 fprintf(stderr, "\n");
1861 PROXY_CERT_INFO_EXTENSION_free(pci);
1869 static void process_proxy_debug(int indent, const char *format, ...)
1871 static const char indentation[] =
1872 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1873 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1874 char my_format[256];
1877 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1878 indent, indent, indentation, format);
1880 va_start(args, format);
1881 vfprintf(stderr, my_format, args);
1889 static int process_proxy_cond_adders(unsigned int letters[26],
1890 const char *cond, const char **cond_end, int *pos, int indent);
1891 static int process_proxy_cond_val(unsigned int letters[26],
1892 const char *cond, const char **cond_end, int *pos, int indent)
1898 while(isspace((int)*cond))
1905 process_proxy_debug(indent,
1906 "Start process_proxy_cond_val at position %d: %s\n",
1913 while(isspace((int)*cond))
1923 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1928 while(isspace((int)*cond))
1936 "Weird condition character in position %d: "
1943 else if (isascii(c) && isalpha(c))
1947 ok = letters[c - 'A'];
1953 "Weird condition character in position %d: "
1960 if (ok >= 0 && negate)
1964 process_proxy_debug(indent,
1965 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1970 static int process_proxy_cond_multipliers(unsigned int letters[26],
1971 const char *cond, const char **cond_end, int *pos, int indent)
1977 process_proxy_debug(indent,
1978 "Start process_proxy_cond_multipliers at position %d: %s\n",
1981 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1988 while(isspace((int)*cond))
2002 ok = process_proxy_cond_val(letters,
2003 cond, cond_end, pos, indent + 1);
2017 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2029 process_proxy_debug(indent,
2030 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2036 static int process_proxy_cond_adders(unsigned int letters[26],
2037 const char *cond, const char **cond_end, int *pos, int indent)
2043 process_proxy_debug(indent,
2044 "Start process_proxy_cond_adders at position %d: %s\n",
2047 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2055 while(isspace((int)*cond))
2068 ok = process_proxy_cond_multipliers(letters,
2069 cond, cond_end, pos, indent + 1);
2080 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2092 process_proxy_debug(indent,
2093 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2100 static int process_proxy_cond(unsigned int letters[26],
2101 const char *cond, const char **cond_end)
2104 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2107 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2110 struct app_verify_arg *cb_arg = arg;
2111 unsigned int letters[26]; /* only used with proxy_auth */
2113 if (cb_arg->app_verify)
2115 char *s = NULL,buf[256];
2117 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2118 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2119 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2120 (void *)ctx, (void *)ctx->cert);
2122 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2125 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2129 if (cb_arg->proxy_auth)
2131 int found_any = 0, i;
2134 for(i = 0; i < 26; i++)
2136 for(sp = cb_arg->proxy_auth; *sp; sp++)
2139 if (isascii(c) && isalpha(c))
2143 letters[c - 'A'] = 1;
2148 " Initial proxy rights = ");
2149 for(i = 0; i < 26; i++)
2152 fprintf(stderr, "%c", i + 'A');
2156 fprintf(stderr, "none");
2157 fprintf(stderr, "\n");
2159 X509_STORE_CTX_set_ex_data(ctx,
2160 get_proxy_auth_ex_data_idx(),letters);
2162 if (cb_arg->allow_proxy_certs)
2164 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2167 #ifndef OPENSSL_NO_X509_VERIFY
2168 # ifdef OPENSSL_FIPS
2169 if(s->version == TLS1_VERSION)
2172 ok = X509_verify_cert(ctx);
2173 # ifdef OPENSSL_FIPS
2174 if(s->version == TLS1_VERSION)
2179 if (cb_arg->proxy_auth)
2183 const char *cond_end = NULL;
2185 ok = process_proxy_cond(letters,
2186 cb_arg->proxy_cond, &cond_end);
2192 fprintf(stderr, "Stopped processing condition before it's end.\n");
2196 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2197 cb_arg->proxy_cond);
2199 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2200 cb_arg->proxy_cond);
2206 #ifndef OPENSSL_NO_RSA
2207 static RSA *rsa_tmp=NULL;
2209 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2212 if (rsa_tmp == NULL)
2215 rsa_tmp = RSA_new();
2216 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2218 BIO_printf(bio_err, "Memory error...");
2221 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2222 (void)BIO_flush(bio_err);
2223 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2225 BIO_printf(bio_err, "Error generating key.");
2230 BIO_printf(bio_err,"\n");
2231 (void)BIO_flush(bio_err);
2237 static void free_tmp_rsa(void)
2239 if (rsa_tmp != NULL)
2247 #ifndef OPENSSL_NO_DH
2248 /* These DH parameters have been generated as follows:
2249 * $ openssl dhparam -C -noout 512
2250 * $ openssl dhparam -C -noout 1024
2251 * $ openssl dhparam -C -noout -dsaparam 1024
2252 * (The third function has been renamed to avoid name conflicts.)
2254 static DH *get_dh512()
2256 static unsigned char dh512_p[]={
2257 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2258 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2259 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2260 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2261 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2262 0x02,0xC5,0xAE,0x23,
2264 static unsigned char dh512_g[]={
2269 if ((dh=DH_new()) == NULL) return(NULL);
2270 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2271 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2272 if ((dh->p == NULL) || (dh->g == NULL))
2273 { DH_free(dh); return(NULL); }
2277 static DH *get_dh1024()
2279 static unsigned char dh1024_p[]={
2280 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2281 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2282 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2283 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2284 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2285 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2286 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2287 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2288 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2289 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2290 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2292 static unsigned char dh1024_g[]={
2297 if ((dh=DH_new()) == NULL) return(NULL);
2298 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2299 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2300 if ((dh->p == NULL) || (dh->g == NULL))
2301 { DH_free(dh); return(NULL); }
2305 static DH *get_dh1024dsa()
2307 static unsigned char dh1024_p[]={
2308 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2309 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2310 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2311 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2312 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2313 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2314 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2315 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2316 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2317 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2318 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2320 static unsigned char dh1024_g[]={
2321 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2322 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2323 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2324 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2325 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2326 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2327 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2328 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2329 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2330 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2331 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2335 if ((dh=DH_new()) == NULL) return(NULL);
2336 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2337 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2338 if ((dh->p == NULL) || (dh->g == NULL))
2339 { DH_free(dh); return(NULL); }
2345 #ifndef OPENSSL_NO_PSK
2346 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2347 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2348 unsigned int max_psk_len)
2353 ret = BN_hex2bn(&bn, pskkey);
2356 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2361 if (BN_num_bytes(bn) > (int)max_psk_len)
2363 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2364 max_psk_len, BN_num_bytes(bn));
2368 ret = BN_bn2bin(bn, psk);
2373 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2374 unsigned int max_identity_len, unsigned char *psk,
2375 unsigned int max_psk_len)
2378 unsigned int psk_len = 0;
2380 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2384 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2385 ret = psk_key2bn(psk_key, psk, max_psk_len);
2393 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2394 unsigned char *psk, unsigned int max_psk_len)
2396 unsigned int psk_len=0;
2398 if (strcmp(identity, "Client_identity") != 0)
2400 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2403 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2408 static int do_test_cipherlist(void)
2411 const SSL_METHOD *meth;
2412 const SSL_CIPHER *ci, *tci = NULL;
2414 #ifndef OPENSSL_NO_SSL2
2415 fprintf(stderr, "testing SSLv2 cipher list order: ");
2416 meth = SSLv2_method();
2417 while ((ci = meth->get_cipher(i++)) != NULL)
2420 if (ci->id >= tci->id)
2422 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2427 fprintf(stderr, "ok\n");
2429 #ifndef OPENSSL_NO_SSL3
2430 fprintf(stderr, "testing SSLv3 cipher list order: ");
2431 meth = SSLv3_method();
2433 while ((ci = meth->get_cipher(i++)) != NULL)
2436 if (ci->id >= tci->id)
2438 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2443 fprintf(stderr, "ok\n");
2445 #ifndef OPENSSL_NO_TLS1
2446 fprintf(stderr, "testing TLSv1 cipher list order: ");
2447 meth = TLSv1_method();
2449 while ((ci = meth->get_cipher(i++)) != NULL)
2452 if (ci->id >= tci->id)
2454 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2459 fprintf(stderr, "ok\n");