2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
131 #define _XOPEN_SOURCE 1 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #include <openssl/rsa.h>
147 #include <openssl/dsa.h>
148 #include <openssl/dh.h>
149 #include <openssl/bn.h>
151 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
152 on Compaq platforms (at least with DEC C).
153 Do not try to put it earlier, or IPv6 includes
157 #ifdef OPENSSL_SYS_WINDOWS
160 #include OPENSSL_UNISTD
163 #ifdef OPENSSL_SYS_VMS
164 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
165 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
166 #elif defined(OPENSSL_SYS_WINCE)
167 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
168 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
169 #elif defined(OPENSSL_SYS_NETWARE)
170 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
171 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
173 # define TEST_SERVER_CERT "../apps/server.pem"
174 # define TEST_CLIENT_CERT "../apps/client.pem"
177 /* There is really no standard for this, so let's assign some tentative
178 numbers. In any case, these numbers are only for this test */
182 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
183 #ifndef OPENSSL_NO_RSA
184 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
185 static void free_tmp_rsa(void);
187 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
188 #define APP_CALLBACK_STRING "Test Callback Argument"
189 struct app_verify_arg
193 int allow_proxy_certs;
198 #ifndef OPENSSL_NO_DH
199 static DH *get_dh512(void);
200 static DH *get_dh1024(void);
201 static DH *get_dh1024dsa(void);
204 static BIO *bio_err=NULL;
205 static BIO *bio_stdout=NULL;
207 static char *cipher=NULL;
208 static int verbose=0;
217 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
219 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
220 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
221 static void sv_usage(void)
223 fprintf(stderr,"usage: ssltest [args ...]\n");
224 fprintf(stderr,"\n");
225 fprintf(stderr," -server_auth - check server certificate\n");
226 fprintf(stderr," -client_auth - do client authentication\n");
227 fprintf(stderr," -proxy - allow proxy certificates\n");
228 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
229 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
230 fprintf(stderr," -v - more output\n");
231 fprintf(stderr," -d - debug output\n");
232 fprintf(stderr," -reuse - use session-id reuse\n");
233 fprintf(stderr," -num <val> - number of connections to perform\n");
234 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
235 #ifndef OPENSSL_NO_DH
236 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
237 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
238 fprintf(stderr," -no_dhe - disable DHE\n");
240 #ifndef OPENSSL_NO_ECDH
241 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
243 #ifndef OPENSSL_NO_SSL2
244 fprintf(stderr," -ssl2 - use SSLv2\n");
246 #ifndef OPENSSL_NO_SSL3
247 fprintf(stderr," -ssl3 - use SSLv3\n");
249 #ifndef OPENSSL_NO_TLS1
250 fprintf(stderr," -tls1 - use TLSv1\n");
252 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
253 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
254 fprintf(stderr," -cert arg - Server certificate file\n");
255 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
256 fprintf(stderr," -c_cert arg - Client certificate file\n");
257 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
258 fprintf(stderr," -cipher arg - The cipher list\n");
259 fprintf(stderr," -bio_pair - Use BIO pairs\n");
260 fprintf(stderr," -f - Test even cases that can't work\n");
261 fprintf(stderr," -time - measure processor time used by client and server\n");
262 fprintf(stderr," -zlib - use zlib compression\n");
263 fprintf(stderr," -rle - use rle compression\n");
264 #ifndef OPENSSL_NO_ECDH
265 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
266 " Use \"openssl ecparam -list_curves\" for all names\n" \
267 " (default is sect163r2).\n");
271 static void print_details(SSL *c_ssl, const char *prefix)
276 ciph=SSL_get_current_cipher(c_ssl);
277 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
279 SSL_get_version(c_ssl),
280 SSL_CIPHER_get_version(ciph),
281 SSL_CIPHER_get_name(ciph));
282 cert=SSL_get_peer_certificate(c_ssl);
285 EVP_PKEY *pkey = X509_get_pubkey(cert);
290 #ifndef OPENSSL_NO_RSA
291 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
292 && pkey->pkey.rsa->n != NULL)
294 BIO_printf(bio_stdout, ", %d bit RSA",
295 BN_num_bits(pkey->pkey.rsa->n));
298 #ifndef OPENSSL_NO_DSA
299 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
300 && pkey->pkey.dsa->p != NULL)
302 BIO_printf(bio_stdout, ", %d bit DSA",
303 BN_num_bits(pkey->pkey.dsa->p));
310 /* The SSL API does not allow us to look at temporary RSA/DH keys,
311 * otherwise we should print their lengths too */
312 BIO_printf(bio_stdout,"\n");
315 static void lock_dbg_cb(int mode, int type, const char *file, int line)
317 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
318 const char *errstr = NULL;
321 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
322 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
324 errstr = "invalid mode";
328 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
330 errstr = "type out of bounds";
334 if (mode & CRYPTO_LOCK)
338 errstr = "already locked";
339 /* must not happen in a single-threaded program
340 * (would deadlock) */
346 else if (mode & CRYPTO_UNLOCK)
350 errstr = "not locked";
354 if (modes[type] != rw)
356 errstr = (rw == CRYPTO_READ) ?
357 "CRYPTO_r_unlock on write lock" :
358 "CRYPTO_w_unlock on read lock";
365 errstr = "invalid mode";
372 /* we cannot use bio_err here */
373 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
374 errstr, mode, type, file, line);
378 int main(int argc, char *argv[])
380 char *CApath=NULL,*CAfile=NULL;
384 int tls1=0,ssl2=0,ssl3=0,ret=1;
387 struct app_verify_arg app_verify_arg =
388 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
389 char *server_cert=TEST_SERVER_CERT;
390 char *server_key=NULL;
391 char *client_cert=TEST_CLIENT_CERT;
392 char *client_key=NULL;
393 char *named_curve = NULL;
396 SSL_METHOD *meth=NULL;
398 int number=1,reuse=0;
400 #ifndef OPENSSL_NO_DH
402 int dhe1024 = 0, dhe1024dsa = 0;
404 #ifndef OPENSSL_NO_ECDH
410 clock_t s_time = 0, c_time = 0;
412 COMP_METHOD *cm = NULL;
413 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
419 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
421 CRYPTO_set_locking_callback(lock_dbg_cb);
423 /* enable memory leak checking unless explicitly disabled */
424 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
426 CRYPTO_malloc_debug_init();
427 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
431 /* OPENSSL_DEBUG_MEMORY=off */
432 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
434 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
436 RAND_seed(rnd_seed, sizeof rnd_seed);
438 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
445 if (strcmp(*argv,"-server_auth") == 0)
447 else if (strcmp(*argv,"-client_auth") == 0)
449 else if (strcmp(*argv,"-proxy_auth") == 0)
451 if (--argc < 1) goto bad;
452 app_verify_arg.proxy_auth= *(++argv);
454 else if (strcmp(*argv,"-proxy_cond") == 0)
456 if (--argc < 1) goto bad;
457 app_verify_arg.proxy_cond= *(++argv);
459 else if (strcmp(*argv,"-v") == 0)
461 else if (strcmp(*argv,"-d") == 0)
463 else if (strcmp(*argv,"-reuse") == 0)
465 else if (strcmp(*argv,"-dhe1024") == 0)
467 #ifndef OPENSSL_NO_DH
470 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
473 else if (strcmp(*argv,"-dhe1024dsa") == 0)
475 #ifndef OPENSSL_NO_DH
478 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
481 else if (strcmp(*argv,"-no_dhe") == 0)
483 else if (strcmp(*argv,"-no_ecdhe") == 0)
485 else if (strcmp(*argv,"-ssl2") == 0)
487 else if (strcmp(*argv,"-tls1") == 0)
489 else if (strcmp(*argv,"-ssl3") == 0)
491 else if (strncmp(*argv,"-num",4) == 0)
493 if (--argc < 1) goto bad;
494 number= atoi(*(++argv));
495 if (number == 0) number=1;
497 else if (strcmp(*argv,"-bytes") == 0)
499 if (--argc < 1) goto bad;
500 bytes= atol(*(++argv));
501 if (bytes == 0L) bytes=1L;
503 if (argv[0][i-1] == 'k') bytes*=1024L;
504 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
506 else if (strcmp(*argv,"-cert") == 0)
508 if (--argc < 1) goto bad;
509 server_cert= *(++argv);
511 else if (strcmp(*argv,"-s_cert") == 0)
513 if (--argc < 1) goto bad;
514 server_cert= *(++argv);
516 else if (strcmp(*argv,"-key") == 0)
518 if (--argc < 1) goto bad;
519 server_key= *(++argv);
521 else if (strcmp(*argv,"-s_key") == 0)
523 if (--argc < 1) goto bad;
524 server_key= *(++argv);
526 else if (strcmp(*argv,"-c_cert") == 0)
528 if (--argc < 1) goto bad;
529 client_cert= *(++argv);
531 else if (strcmp(*argv,"-c_key") == 0)
533 if (--argc < 1) goto bad;
534 client_key= *(++argv);
536 else if (strcmp(*argv,"-cipher") == 0)
538 if (--argc < 1) goto bad;
541 else if (strcmp(*argv,"-CApath") == 0)
543 if (--argc < 1) goto bad;
546 else if (strcmp(*argv,"-CAfile") == 0)
548 if (--argc < 1) goto bad;
551 else if (strcmp(*argv,"-bio_pair") == 0)
555 else if (strcmp(*argv,"-f") == 0)
559 else if (strcmp(*argv,"-time") == 0)
563 else if (strcmp(*argv,"-zlib") == 0)
567 else if (strcmp(*argv,"-rle") == 0)
571 else if (strcmp(*argv,"-named_curve") == 0)
573 if (--argc < 1) goto bad;
574 #ifndef OPENSSL_NO_ECDH
575 named_curve = *(++argv);
577 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
581 else if (strcmp(*argv,"-app_verify") == 0)
583 app_verify_arg.app_verify = 1;
585 else if (strcmp(*argv,"-proxy") == 0)
587 app_verify_arg.allow_proxy_certs = 1;
591 fprintf(stderr,"unknown option %s\n",*argv);
605 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
607 fprintf(stderr, "This case cannot work. Use -f to perform "
608 "the test anyway (and\n-d to see what happens), "
609 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
610 "to avoid protocol mismatch.\n");
618 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
621 if (number < 50 && !force)
622 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
625 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
628 SSL_load_error_strings();
630 if (comp == COMP_ZLIB) cm = COMP_zlib();
631 if (comp == COMP_RLE) cm = COMP_rle();
634 if (cm->type != NID_undef)
636 if (SSL_COMP_add_compression_method(comp, cm) != 0)
639 "Failed to add compression method\n");
640 ERR_print_errors_fp(stderr);
646 "Warning: %s compression not supported\n",
647 (comp == COMP_RLE ? "rle" :
648 (comp == COMP_ZLIB ? "zlib" :
650 ERR_print_errors_fp(stderr);
653 ssl_comp_methods = SSL_COMP_get_compression_methods();
654 fprintf(stderr, "Available compression methods:\n");
656 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
658 fprintf(stderr, " NONE\n");
660 for (j = 0; j < n; j++)
662 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
663 fprintf(stderr, " %d: %s\n", c->id, c->name);
667 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
677 meth=SSLv23_method();
679 #ifdef OPENSSL_NO_SSL2
686 c_ctx=SSL_CTX_new(meth);
687 s_ctx=SSL_CTX_new(meth);
688 if ((c_ctx == NULL) || (s_ctx == NULL))
690 ERR_print_errors(bio_err);
696 SSL_CTX_set_cipher_list(c_ctx,cipher);
697 SSL_CTX_set_cipher_list(s_ctx,cipher);
700 #ifndef OPENSSL_NO_DH
705 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
706 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
713 SSL_CTX_set_tmp_dh(s_ctx,dh);
720 #ifndef OPENSSL_NO_ECDH
728 int nid = OBJ_sn2nid(named_curve);
732 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
737 ecdh->group = EC_GROUP_new_by_curve_name(nid);
738 if (ecdh->group == NULL)
740 BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
746 if (ecdh->group == NULL)
747 ecdh->group=EC_GROUP_new_by_curve_name(NID_sect163r2);
749 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
750 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
758 #ifndef OPENSSL_NO_RSA
759 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
762 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
764 ERR_print_errors(bio_err);
766 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
767 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
769 ERR_print_errors(bio_err);
775 SSL_CTX_use_certificate_file(c_ctx,client_cert,
777 SSL_CTX_use_PrivateKey_file(c_ctx,
778 (client_key?client_key:client_cert),
782 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
783 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
784 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
785 (!SSL_CTX_set_default_verify_paths(c_ctx)))
787 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
788 ERR_print_errors(bio_err);
794 BIO_printf(bio_err,"client authentication\n");
795 SSL_CTX_set_verify(s_ctx,
796 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
798 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
802 BIO_printf(bio_err,"server authentication\n");
803 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
805 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
809 int session_id_context = 0;
810 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
813 c_ssl=SSL_new(c_ctx);
814 s_ssl=SSL_new(s_ctx);
816 #ifndef OPENSSL_NO_KRB5
817 if (c_ssl && c_ssl->kssl_ctx)
819 char localhost[MAXHOSTNAMELEN+2];
821 if (gethostname(localhost, sizeof localhost-1) == 0)
823 localhost[sizeof localhost-1]='\0';
824 if(strlen(localhost) == sizeof localhost-1)
826 BIO_printf(bio_err,"localhost name too long\n");
829 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
833 #endif /* OPENSSL_NO_KRB5 */
835 for (i=0; i<number; i++)
837 if (!reuse) SSL_set_session(c_ssl,NULL);
839 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
841 ret=doit(s_ssl,c_ssl,bytes);
846 print_details(c_ssl, "");
848 if ((number > 1) || (bytes > 1L))
849 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
852 #ifdef CLOCKS_PER_SEC
853 /* "To determine the time in seconds, the value returned
854 * by the clock function should be divided by the value
855 * of the macro CLOCKS_PER_SEC."
857 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
858 "Approximate total client time: %6.2f s\n",
859 (double)s_time/CLOCKS_PER_SEC,
860 (double)c_time/CLOCKS_PER_SEC);
862 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
863 * -- cc on NeXTstep/OpenStep */
864 BIO_printf(bio_stdout,
865 "Approximate total server time: %6.2f units\n"
866 "Approximate total client time: %6.2f units\n",
876 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
877 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
879 if (bio_stdout != NULL) BIO_free(bio_stdout);
881 #ifndef OPENSSL_NO_RSA
884 #ifndef OPENSSL_NO_ENGINE
887 CRYPTO_cleanup_all_ex_data();
891 CRYPTO_mem_leaks(bio_err);
892 if (bio_err != NULL) BIO_free(bio_err);
896 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
897 clock_t *s_time, clock_t *c_time)
899 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
900 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
901 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
904 size_t bufsiz = 256; /* small buffer for testing */
906 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
908 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
911 s_ssl_bio = BIO_new(BIO_f_ssl());
915 c_ssl_bio = BIO_new(BIO_f_ssl());
919 SSL_set_connect_state(c_ssl);
920 SSL_set_bio(c_ssl, client, client);
921 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
923 SSL_set_accept_state(s_ssl);
924 SSL_set_bio(s_ssl, server, server);
925 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
929 /* c_ssl_bio: SSL filter BIO
931 * client: pseudo-I/O for SSL library
933 * client_io: client's SSL communication; usually to be
934 * relayed over some I/O facility, but in this
935 * test program, we're the server, too:
937 * server_io: server's SSL communication
939 * server: pseudo-I/O for SSL library
941 * s_ssl_bio: SSL filter BIO
943 * The client and the server each employ a "BIO pair":
944 * client + client_io, server + server_io.
945 * BIO pairs are symmetric. A BIO pair behaves similar
946 * to a non-blocking socketpair (but both endpoints must
947 * be handled by the same thread).
948 * [Here we could connect client and server to the ends
949 * of a single BIO pair, but then this code would be less
950 * suitable as an example for BIO pairs in general.]
952 * Useful functions for querying the state of BIO pair endpoints:
954 * BIO_ctrl_pending(bio) number of bytes we can read now
955 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
956 * other side's read attempt
957 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
959 * ..._read_request is never more than ..._write_guarantee;
960 * it depends on the application which one you should use.
963 /* We have non-blocking behaviour throughout this test program, but
964 * can be sure that there is *some* progress in each iteration; so
965 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
966 * -- we just try everything in each iteration
972 MS_STATIC char cbuf[1024*8];
974 clock_t c_clock = clock();
976 memset(cbuf, 0, sizeof(cbuf));
979 if (SSL_in_init(c_ssl))
980 printf("client waiting in SSL_connect - %s\n",
981 SSL_state_string_long(c_ssl));
985 /* Write to server. */
987 if (cw_num > (long)sizeof cbuf)
991 r = BIO_write(c_ssl_bio, cbuf, i);
994 if (!BIO_should_retry(c_ssl_bio))
996 fprintf(stderr,"ERROR in CLIENT\n");
999 /* BIO_should_retry(...) can just be ignored here.
1000 * The library expects us to call BIO_write with
1001 * the same arguments again, and that's what we will
1002 * do in the next iteration. */
1006 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1012 printf("client wrote %d\n", r);
1019 /* Read from server. */
1021 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1024 if (!BIO_should_retry(c_ssl_bio))
1026 fprintf(stderr,"ERROR in CLIENT\n");
1029 /* Again, "BIO_should_retry" can be ignored. */
1033 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1039 printf("client read %d\n", r);
1044 /* c_time and s_time increments will typically be very small
1045 * (depending on machine speed and clock tick intervals),
1046 * but sampling over a large number of connections should
1047 * result in fairly accurate figures. We cannot guarantee
1048 * a lot, however -- if each connection lasts for exactly
1049 * one clock tick, it will be counted only for the client
1050 * or only for the server or even not at all.
1052 *c_time += (clock() - c_clock);
1058 MS_STATIC char sbuf[1024*8];
1060 clock_t s_clock = clock();
1062 memset(sbuf, 0, sizeof(sbuf));
1065 if (SSL_in_init(s_ssl))
1066 printf("server waiting in SSL_accept - %s\n",
1067 SSL_state_string_long(s_ssl));
1071 /* Write to client. */
1073 if (sw_num > (long)sizeof sbuf)
1077 r = BIO_write(s_ssl_bio, sbuf, i);
1080 if (!BIO_should_retry(s_ssl_bio))
1082 fprintf(stderr,"ERROR in SERVER\n");
1085 /* Ignore "BIO_should_retry". */
1089 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1095 printf("server wrote %d\n", r);
1102 /* Read from client. */
1104 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1107 if (!BIO_should_retry(s_ssl_bio))
1109 fprintf(stderr,"ERROR in SERVER\n");
1116 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1122 printf("server read %d\n", r);
1127 *s_time += (clock() - s_clock);
1131 /* "I/O" BETWEEN CLIENT AND SERVER. */
1134 BIO *io1 = server_io, *io2 = client_io;
1135 /* we use the non-copying interface for io1
1136 * and the standard BIO_write/BIO_read interface for io2
1139 static int prev_progress = 1;
1148 r1 = BIO_ctrl_pending(io1);
1149 r2 = BIO_ctrl_get_write_guarantee(io2);
1158 if (INT_MAX < num) /* yeah, right */
1161 r = BIO_nread(io1, &dataptr, (int)num);
1163 assert(r <= (int)num);
1164 /* possibly r < num (non-contiguous data) */
1166 r = BIO_write(io2, dataptr, (int)num);
1167 if (r != (int)num) /* can't happen */
1169 fprintf(stderr, "ERROR: BIO_write could not write "
1170 "BIO_ctrl_get_write_guarantee() bytes");
1176 printf((io1 == client_io) ?
1177 "C->S relaying: %d bytes\n" :
1178 "S->C relaying: %d bytes\n",
1189 r1 = BIO_ctrl_pending(io2);
1190 r2 = BIO_ctrl_get_read_request(io1);
1191 /* here we could use ..._get_write_guarantee instead of
1192 * ..._get_read_request, but by using the latter
1193 * we test restartability of the SSL implementation
1194 * more thoroughly */
1206 --num; /* test restartability even more thoroughly */
1208 r = BIO_nwrite0(io1, &dataptr);
1212 r = BIO_read(io2, dataptr, (int)num);
1213 if (r != (int)num) /* can't happen */
1215 fprintf(stderr, "ERROR: BIO_read could not read "
1216 "BIO_ctrl_pending() bytes");
1220 r = BIO_nwrite(io1, &dataptr, (int)num);
1221 if (r != (int)num) /* can't happen */
1223 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1224 "BIO_nwrite0() bytes");
1229 printf((io2 == client_io) ?
1230 "C->S relaying: %d bytes\n" :
1231 "S->C relaying: %d bytes\n",
1234 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1236 if (!progress && !prev_progress)
1237 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1239 fprintf(stderr, "ERROR: got stuck\n");
1240 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1242 fprintf(stderr, "This can happen for SSL2 because "
1243 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1244 "concurrently ...");
1245 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1246 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1248 fprintf(stderr, " ok.\n");
1252 fprintf(stderr, " ERROR.\n");
1255 prev_progress = progress;
1258 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1261 print_details(c_ssl, "DONE via BIO pair: ");
1266 ERR_print_errors(bio_err);
1271 BIO_free(server_io);
1275 BIO_free(client_io);
1277 BIO_free(s_ssl_bio);
1279 BIO_free(c_ssl_bio);
1290 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1292 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1293 long cw_num=count,cr_num=count;
1294 long sw_num=count,sr_num=count;
1300 int c_r,c_w,s_r,s_w;
1304 int c_write,s_write;
1305 int do_server=0,do_client=0;
1307 memset(cbuf,0,sizeof(cbuf));
1308 memset(sbuf,0,sizeof(sbuf));
1310 c_to_s=BIO_new(BIO_s_mem());
1311 s_to_c=BIO_new(BIO_s_mem());
1312 if ((s_to_c == NULL) || (c_to_s == NULL))
1314 ERR_print_errors(bio_err);
1318 c_bio=BIO_new(BIO_f_ssl());
1319 s_bio=BIO_new(BIO_f_ssl());
1320 if ((c_bio == NULL) || (s_bio == NULL))
1322 ERR_print_errors(bio_err);
1326 SSL_set_connect_state(c_ssl);
1327 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1328 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1330 SSL_set_accept_state(s_ssl);
1331 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1332 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1338 c_write=1,s_write=0;
1340 /* We can always do writes */
1346 i=(int)BIO_pending(s_bio);
1347 if ((i && s_r) || s_w) do_server=1;
1349 i=(int)BIO_pending(c_bio);
1350 if ((i && c_r) || c_w) do_client=1;
1352 if (do_server && debug)
1354 if (SSL_in_init(s_ssl))
1355 printf("server waiting in SSL_accept - %s\n",
1356 SSL_state_string_long(s_ssl));
1357 /* else if (s_write)
1358 printf("server:SSL_write()\n");
1360 printf("server:SSL_read()\n"); */
1363 if (do_client && debug)
1365 if (SSL_in_init(c_ssl))
1366 printf("client waiting in SSL_connect - %s\n",
1367 SSL_state_string_long(c_ssl));
1368 /* else if (c_write)
1369 printf("client:SSL_write()\n");
1371 printf("client:SSL_read()\n"); */
1374 if (!do_client && !do_server)
1376 fprintf(stdout,"ERROR IN STARTUP\n");
1377 ERR_print_errors(bio_err);
1380 if (do_client && !(done & C_DONE))
1384 j = (cw_num > (long)sizeof(cbuf)) ?
1385 (int)sizeof(cbuf) : (int)cw_num;
1386 i=BIO_write(c_bio,cbuf,j);
1391 if (BIO_should_retry(c_bio))
1393 if (BIO_should_read(c_bio))
1395 if (BIO_should_write(c_bio))
1400 fprintf(stderr,"ERROR in CLIENT\n");
1401 ERR_print_errors(bio_err);
1407 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1413 printf("client wrote %d\n",i);
1422 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1427 if (BIO_should_retry(c_bio))
1429 if (BIO_should_read(c_bio))
1431 if (BIO_should_write(c_bio))
1436 fprintf(stderr,"ERROR in CLIENT\n");
1437 ERR_print_errors(bio_err);
1443 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1449 printf("client read %d\n",i);
1466 if (do_server && !(done & S_DONE))
1470 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1475 if (BIO_should_retry(s_bio))
1477 if (BIO_should_read(s_bio))
1479 if (BIO_should_write(s_bio))
1484 fprintf(stderr,"ERROR in SERVER\n");
1485 ERR_print_errors(bio_err);
1491 ERR_print_errors(bio_err);
1492 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1498 printf("server read %d\n",i);
1515 j = (sw_num > (long)sizeof(sbuf)) ?
1516 (int)sizeof(sbuf) : (int)sw_num;
1517 i=BIO_write(s_bio,sbuf,j);
1522 if (BIO_should_retry(s_bio))
1524 if (BIO_should_read(s_bio))
1526 if (BIO_should_write(s_bio))
1531 fprintf(stderr,"ERROR in SERVER\n");
1532 ERR_print_errors(bio_err);
1538 ERR_print_errors(bio_err);
1539 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1545 printf("server wrote %d\n",i);
1555 if ((done & S_DONE) && (done & C_DONE)) break;
1559 print_details(c_ssl, "DONE: ");
1562 /* We have to set the BIO's to NULL otherwise they will be
1563 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1564 * again when c_ssl is SSL_free()ed.
1565 * This is a hack required because s_ssl and c_ssl are sharing the same
1566 * BIO structure and SSL_set_bio() and SSL_free() automatically
1567 * BIO_free non NULL entries.
1568 * You should not normally do this or be required to do this */
1580 if (c_to_s != NULL) BIO_free(c_to_s);
1581 if (s_to_c != NULL) BIO_free(s_to_c);
1582 if (c_bio != NULL) BIO_free_all(c_bio);
1583 if (s_bio != NULL) BIO_free_all(s_bio);
1587 static int get_proxy_auth_ex_data_idx(void)
1589 static volatile int idx = -1;
1592 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1595 idx = X509_STORE_CTX_get_ex_new_index(0,
1596 "SSLtest for verify callback", NULL,NULL,NULL);
1598 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1603 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1607 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1612 fprintf(stderr,"depth=%d %s\n",
1613 ctx->error_depth,buf);
1616 fprintf(stderr,"depth=%d error=%d %s\n",
1617 ctx->error_depth,ctx->error,buf);
1623 fprintf(stderr,"Error string: %s\n",
1624 X509_verify_cert_error_string(ctx->error));
1627 case X509_V_ERR_CERT_NOT_YET_VALID:
1628 case X509_V_ERR_CERT_HAS_EXPIRED:
1629 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1630 fprintf(stderr," ... ignored.\n");
1637 X509 *xs = ctx->current_cert;
1639 X509 *xi = ctx->current_issuer;
1642 if (xs->ex_flags & EXFLAG_PROXY)
1644 unsigned int *letters =
1645 X509_STORE_CTX_get_ex_data(ctx,
1646 get_proxy_auth_ex_data_idx());
1652 PROXY_CERT_INFO_EXTENSION *pci =
1653 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1656 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1658 case NID_Independent:
1659 /* Completely meaningless in this
1660 program, as there's no way to
1661 grant explicit rights to a
1662 specific PrC. Basically, using
1663 id-ppl-Independent is the perfect
1664 way to grant no rights at all. */
1665 fprintf(stderr, " Independent proxy certificate");
1666 for (i = 0; i < 26; i++)
1669 case NID_id_ppl_inheritAll:
1670 /* This is basically a NOP, we
1671 simply let the current rights
1672 stand as they are. */
1673 fprintf(stderr, " Proxy certificate inherits all");
1677 pci->proxyPolicy->policy->data;
1678 i = pci->proxyPolicy->policy->length;
1680 /* The algorithm works as follows:
1681 it is assumed that previous
1682 iterations or the initial granted
1683 rights has already set some elements
1684 of `letters'. What we need to do is
1685 to clear those that weren't granted
1686 by the current PrC as well. The
1687 easiest way to do this is to add 1
1688 to all the elements whose letters
1689 are given with the current policy.
1690 That way, all elements that are set
1691 by the current policy and were
1692 already set by earlier policies and
1693 through the original grant of rights
1694 will get the value 2 or higher.
1695 The last thing to do is to sweep
1696 through `letters' and keep the
1697 elements having the value 2 as set,
1698 and clear all the others. */
1700 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1704 if (isascii(c) && isalpha(c))
1711 for (i = 0; i < 26; i++)
1720 ", resulting proxy rights = ");
1721 for(i = 0; i < 26; i++)
1724 fprintf(stderr, "%c", i + 'A');
1728 fprintf(stderr, "none");
1729 fprintf(stderr, "\n");
1731 PROXY_CERT_INFO_EXTENSION_free(pci);
1739 static void process_proxy_debug(int indent, const char *format, ...)
1741 static const char indentation[] =
1742 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1743 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1744 char my_format[256];
1747 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1748 indent, indent, indentation, format);
1750 va_start(args, format);
1751 vfprintf(stderr, my_format, args);
1759 static int process_proxy_cond_adders(unsigned int letters[26],
1760 const char *cond, const char **cond_end, int *pos, int indent);
1761 static int process_proxy_cond_val(unsigned int letters[26],
1762 const char *cond, const char **cond_end, int *pos, int indent)
1768 while(isspace(*cond))
1775 process_proxy_debug(indent,
1776 "Start process_proxy_cond_val at position %d: %s\n",
1783 while(isspace(*cond))
1793 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1798 while(isspace(*cond))
1806 "Weird condition character in position %d: "
1813 else if (isascii(c) && isalpha(c))
1817 ok = letters[c - 'A'];
1823 "Weird condition character in position %d: "
1830 if (ok >= 0 && negate)
1834 process_proxy_debug(indent,
1835 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1840 static int process_proxy_cond_multipliers(unsigned int letters[26],
1841 const char *cond, const char **cond_end, int *pos, int indent)
1847 process_proxy_debug(indent,
1848 "Start process_proxy_cond_multipliers at position %d: %s\n",
1851 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1858 while(isspace(*cond))
1872 ok = process_proxy_cond_val(letters,
1873 cond, cond_end, pos, indent + 1);
1887 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1899 process_proxy_debug(indent,
1900 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1906 static int process_proxy_cond_adders(unsigned int letters[26],
1907 const char *cond, const char **cond_end, int *pos, int indent)
1913 process_proxy_debug(indent,
1914 "Start process_proxy_cond_adders at position %d: %s\n",
1917 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1925 while(isspace(*cond))
1938 ok = process_proxy_cond_multipliers(letters,
1939 cond, cond_end, pos, indent + 1);
1950 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1962 process_proxy_debug(indent,
1963 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1970 static int process_proxy_cond(unsigned int letters[26],
1971 const char *cond, const char **cond_end)
1974 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1977 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
1980 struct app_verify_arg *cb_arg = arg;
1981 unsigned int letters[26]; /* only used with proxy_auth */
1983 if (cb_arg->app_verify)
1985 char *s = NULL,buf[256];
1987 fprintf(stderr, "In app_verify_callback, allowing cert. ");
1988 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
1989 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
1992 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1995 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
1999 if (cb_arg->proxy_auth)
2001 int found_any = 0, i;
2004 for(i = 0; i < 26; i++)
2006 for(sp = cb_arg->proxy_auth; *sp; sp++)
2009 if (isascii(c) && isalpha(c))
2013 letters[c - 'A'] = 1;
2018 " Initial proxy rights = ");
2019 for(i = 0; i < 26; i++)
2022 fprintf(stderr, "%c", i + 'A');
2026 fprintf(stderr, "none");
2027 fprintf(stderr, "\n");
2029 X509_STORE_CTX_set_ex_data(ctx,
2030 get_proxy_auth_ex_data_idx(),letters);
2032 if (cb_arg->allow_proxy_certs)
2034 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2037 #ifndef OPENSSL_NO_X509_VERIFY
2038 # ifdef OPENSSL_FIPS
2039 if(s->version == TLS1_VERSION)
2042 ok = X509_verify_cert(ctx);
2043 # ifdef OPENSSL_FIPS
2044 if(s->version == TLS1_VERSION)
2049 if (cb_arg->proxy_auth)
2053 const char *cond_end = NULL;
2055 ok = process_proxy_cond(letters,
2056 cb_arg->proxy_cond, &cond_end);
2062 fprintf(stderr, "Stopped processing condition before it's end.\n");
2066 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2067 cb_arg->proxy_cond);
2069 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2070 cb_arg->proxy_cond);
2076 #ifndef OPENSSL_NO_RSA
2077 static RSA *rsa_tmp=NULL;
2079 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2082 if (rsa_tmp == NULL)
2085 rsa_tmp = RSA_new();
2086 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2088 BIO_printf(bio_err, "Memory error...");
2091 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2092 (void)BIO_flush(bio_err);
2093 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2095 BIO_printf(bio_err, "Error generating key.");
2100 BIO_printf(bio_err,"\n");
2101 (void)BIO_flush(bio_err);
2107 static void free_tmp_rsa(void)
2109 if (rsa_tmp != NULL)
2117 #ifndef OPENSSL_NO_DH
2118 /* These DH parameters have been generated as follows:
2119 * $ openssl dhparam -C -noout 512
2120 * $ openssl dhparam -C -noout 1024
2121 * $ openssl dhparam -C -noout -dsaparam 1024
2122 * (The third function has been renamed to avoid name conflicts.)
2124 static DH *get_dh512()
2126 static unsigned char dh512_p[]={
2127 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2128 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2129 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2130 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2131 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2132 0x02,0xC5,0xAE,0x23,
2134 static unsigned char dh512_g[]={
2139 if ((dh=DH_new()) == NULL) return(NULL);
2140 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2141 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2142 if ((dh->p == NULL) || (dh->g == NULL))
2143 { DH_free(dh); return(NULL); }
2147 static DH *get_dh1024()
2149 static unsigned char dh1024_p[]={
2150 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2151 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2152 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2153 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2154 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2155 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2156 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2157 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2158 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2159 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2160 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2162 static unsigned char dh1024_g[]={
2167 if ((dh=DH_new()) == NULL) return(NULL);
2168 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2169 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2170 if ((dh->p == NULL) || (dh->g == NULL))
2171 { DH_free(dh); return(NULL); }
2175 static DH *get_dh1024dsa()
2177 static unsigned char dh1024_p[]={
2178 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2179 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2180 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2181 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2182 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2183 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2184 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2185 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2186 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2187 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2188 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2190 static unsigned char dh1024_g[]={
2191 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2192 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2193 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2194 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2195 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2196 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2197 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2198 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2199 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2200 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2201 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2205 if ((dh=DH_new()) == NULL) return(NULL);
2206 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2207 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2208 if ((dh->p == NULL) || (dh->g == NULL))
2209 { DH_free(dh); return(NULL); }