2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
131 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #include <openssl/rsa.h>
147 #include <openssl/dsa.h>
148 #include <openssl/dh.h>
149 #include <openssl/bn.h>
151 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
152 on Compaq platforms (at least with DEC C).
153 Do not try to put it earlier, or IPv6 includes
157 #ifdef OPENSSL_SYS_WINDOWS
160 #include OPENSSL_UNISTD
163 #ifdef OPENSSL_SYS_VMS
164 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
165 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
166 #elif defined(OPENSSL_SYS_WINCE)
167 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
168 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
169 #elif defined(OPENSSL_SYS_NETWARE)
170 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
171 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
173 # define TEST_SERVER_CERT "../apps/server.pem"
174 # define TEST_CLIENT_CERT "../apps/client.pem"
177 /* There is really no standard for this, so let's assign some tentative
178 numbers. In any case, these numbers are only for this test */
182 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
183 #ifndef OPENSSL_NO_RSA
184 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
185 static void free_tmp_rsa(void);
187 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
188 #define APP_CALLBACK_STRING "Test Callback Argument"
189 struct app_verify_arg
193 int allow_proxy_certs;
198 #ifndef OPENSSL_NO_DH
199 static DH *get_dh512(void);
200 static DH *get_dh1024(void);
201 static DH *get_dh1024dsa(void);
204 static BIO *bio_err=NULL;
205 static BIO *bio_stdout=NULL;
207 static char *cipher=NULL;
208 static int verbose=0;
217 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
219 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
220 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
221 static void sv_usage(void)
223 fprintf(stderr,"usage: ssltest [args ...]\n");
224 fprintf(stderr,"\n");
225 fprintf(stderr," -server_auth - check server certificate\n");
226 fprintf(stderr," -client_auth - do client authentication\n");
227 fprintf(stderr," -proxy - allow proxy certificates\n");
228 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
229 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
230 fprintf(stderr," -v - more output\n");
231 fprintf(stderr," -d - debug output\n");
232 fprintf(stderr," -reuse - use session-id reuse\n");
233 fprintf(stderr," -num <val> - number of connections to perform\n");
234 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
235 #ifndef OPENSSL_NO_DH
236 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
237 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
238 fprintf(stderr," -no_dhe - disable DHE\n");
240 #ifndef OPENSSL_NO_ECDH
241 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
243 #ifndef OPENSSL_NO_SSL2
244 fprintf(stderr," -ssl2 - use SSLv2\n");
246 #ifndef OPENSSL_NO_SSL3
247 fprintf(stderr," -ssl3 - use SSLv3\n");
249 #ifndef OPENSSL_NO_TLS1
250 fprintf(stderr," -tls1 - use TLSv1\n");
252 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
253 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
254 fprintf(stderr," -cert arg - Server certificate file\n");
255 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
256 fprintf(stderr," -c_cert arg - Client certificate file\n");
257 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
258 fprintf(stderr," -cipher arg - The cipher list\n");
259 fprintf(stderr," -bio_pair - Use BIO pairs\n");
260 fprintf(stderr," -f - Test even cases that can't work\n");
261 fprintf(stderr," -time - measure processor time used by client and server\n");
262 fprintf(stderr," -zlib - use zlib compression\n");
263 fprintf(stderr," -rle - use rle compression\n");
264 #ifndef OPENSSL_NO_ECDH
265 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
266 " Use \"openssl ecparam -list_curves\" for all names\n" \
267 " (default is sect163r2).\n");
271 static void print_details(SSL *c_ssl, const char *prefix)
276 ciph=SSL_get_current_cipher(c_ssl);
277 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
279 SSL_get_version(c_ssl),
280 SSL_CIPHER_get_version(ciph),
281 SSL_CIPHER_get_name(ciph));
282 cert=SSL_get_peer_certificate(c_ssl);
285 EVP_PKEY *pkey = X509_get_pubkey(cert);
290 #ifndef OPENSSL_NO_RSA
291 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
292 && pkey->pkey.rsa->n != NULL)
294 BIO_printf(bio_stdout, ", %d bit RSA",
295 BN_num_bits(pkey->pkey.rsa->n));
298 #ifndef OPENSSL_NO_DSA
299 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
300 && pkey->pkey.dsa->p != NULL)
302 BIO_printf(bio_stdout, ", %d bit DSA",
303 BN_num_bits(pkey->pkey.dsa->p));
310 /* The SSL API does not allow us to look at temporary RSA/DH keys,
311 * otherwise we should print their lengths too */
312 BIO_printf(bio_stdout,"\n");
315 static void lock_dbg_cb(int mode, int type, const char *file, int line)
317 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
318 const char *errstr = NULL;
321 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
322 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
324 errstr = "invalid mode";
328 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
330 errstr = "type out of bounds";
334 if (mode & CRYPTO_LOCK)
338 errstr = "already locked";
339 /* must not happen in a single-threaded program
340 * (would deadlock) */
346 else if (mode & CRYPTO_UNLOCK)
350 errstr = "not locked";
354 if (modes[type] != rw)
356 errstr = (rw == CRYPTO_READ) ?
357 "CRYPTO_r_unlock on write lock" :
358 "CRYPTO_w_unlock on read lock";
365 errstr = "invalid mode";
372 /* we cannot use bio_err here */
373 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
374 errstr, mode, type, file, line);
378 int main(int argc, char *argv[])
380 char *CApath=NULL,*CAfile=NULL;
384 int tls1=0,ssl2=0,ssl3=0,ret=1;
387 struct app_verify_arg app_verify_arg =
388 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
389 char *server_cert=TEST_SERVER_CERT;
390 char *server_key=NULL;
391 char *client_cert=TEST_CLIENT_CERT;
392 char *client_key=NULL;
393 char *named_curve = NULL;
396 SSL_METHOD *meth=NULL;
398 int number=1,reuse=0;
400 #ifndef OPENSSL_NO_DH
402 int dhe1024 = 0, dhe1024dsa = 0;
404 #ifndef OPENSSL_NO_ECDH
410 clock_t s_time = 0, c_time = 0;
412 COMP_METHOD *cm = NULL;
413 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
419 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
421 CRYPTO_set_locking_callback(lock_dbg_cb);
423 /* enable memory leak checking unless explicitly disabled */
424 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
426 CRYPTO_malloc_debug_init();
427 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
431 /* OPENSSL_DEBUG_MEMORY=off */
432 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
434 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
436 RAND_seed(rnd_seed, sizeof rnd_seed);
438 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
445 if (strcmp(*argv,"-server_auth") == 0)
447 else if (strcmp(*argv,"-client_auth") == 0)
449 else if (strcmp(*argv,"-proxy_auth") == 0)
451 if (--argc < 1) goto bad;
452 app_verify_arg.proxy_auth= *(++argv);
454 else if (strcmp(*argv,"-proxy_cond") == 0)
456 if (--argc < 1) goto bad;
457 app_verify_arg.proxy_cond= *(++argv);
459 else if (strcmp(*argv,"-v") == 0)
461 else if (strcmp(*argv,"-d") == 0)
463 else if (strcmp(*argv,"-reuse") == 0)
465 else if (strcmp(*argv,"-dhe1024") == 0)
467 #ifndef OPENSSL_NO_DH
470 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
473 else if (strcmp(*argv,"-dhe1024dsa") == 0)
475 #ifndef OPENSSL_NO_DH
478 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
481 else if (strcmp(*argv,"-no_dhe") == 0)
483 else if (strcmp(*argv,"-no_ecdhe") == 0)
485 else if (strcmp(*argv,"-ssl2") == 0)
487 else if (strcmp(*argv,"-tls1") == 0)
489 else if (strcmp(*argv,"-ssl3") == 0)
491 else if (strncmp(*argv,"-num",4) == 0)
493 if (--argc < 1) goto bad;
494 number= atoi(*(++argv));
495 if (number == 0) number=1;
497 else if (strcmp(*argv,"-bytes") == 0)
499 if (--argc < 1) goto bad;
500 bytes= atol(*(++argv));
501 if (bytes == 0L) bytes=1L;
503 if (argv[0][i-1] == 'k') bytes*=1024L;
504 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
506 else if (strcmp(*argv,"-cert") == 0)
508 if (--argc < 1) goto bad;
509 server_cert= *(++argv);
511 else if (strcmp(*argv,"-s_cert") == 0)
513 if (--argc < 1) goto bad;
514 server_cert= *(++argv);
516 else if (strcmp(*argv,"-key") == 0)
518 if (--argc < 1) goto bad;
519 server_key= *(++argv);
521 else if (strcmp(*argv,"-s_key") == 0)
523 if (--argc < 1) goto bad;
524 server_key= *(++argv);
526 else if (strcmp(*argv,"-c_cert") == 0)
528 if (--argc < 1) goto bad;
529 client_cert= *(++argv);
531 else if (strcmp(*argv,"-c_key") == 0)
533 if (--argc < 1) goto bad;
534 client_key= *(++argv);
536 else if (strcmp(*argv,"-cipher") == 0)
538 if (--argc < 1) goto bad;
541 else if (strcmp(*argv,"-CApath") == 0)
543 if (--argc < 1) goto bad;
546 else if (strcmp(*argv,"-CAfile") == 0)
548 if (--argc < 1) goto bad;
551 else if (strcmp(*argv,"-bio_pair") == 0)
555 else if (strcmp(*argv,"-f") == 0)
559 else if (strcmp(*argv,"-time") == 0)
563 else if (strcmp(*argv,"-zlib") == 0)
567 else if (strcmp(*argv,"-rle") == 0)
571 else if (strcmp(*argv,"-named_curve") == 0)
573 if (--argc < 1) goto bad;
574 #ifndef OPENSSL_NO_ECDH
575 named_curve = *(++argv);
577 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
581 else if (strcmp(*argv,"-app_verify") == 0)
583 app_verify_arg.app_verify = 1;
585 else if (strcmp(*argv,"-proxy") == 0)
587 app_verify_arg.allow_proxy_certs = 1;
591 fprintf(stderr,"unknown option %s\n",*argv);
605 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
607 fprintf(stderr, "This case cannot work. Use -f to perform "
608 "the test anyway (and\n-d to see what happens), "
609 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
610 "to avoid protocol mismatch.\n");
618 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
621 if (number < 50 && !force)
622 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
625 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
628 SSL_load_error_strings();
630 if (comp == COMP_ZLIB) cm = COMP_zlib();
631 if (comp == COMP_RLE) cm = COMP_rle();
634 if (cm->type != NID_undef)
636 if (SSL_COMP_add_compression_method(comp, cm) != 0)
639 "Failed to add compression method\n");
640 ERR_print_errors_fp(stderr);
646 "Warning: %s compression not supported\n",
647 (comp == COMP_RLE ? "rle" :
648 (comp == COMP_ZLIB ? "zlib" :
650 ERR_print_errors_fp(stderr);
653 ssl_comp_methods = SSL_COMP_get_compression_methods();
654 fprintf(stderr, "Available compression methods:\n");
656 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
658 fprintf(stderr, " NONE\n");
660 for (j = 0; j < n; j++)
662 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
663 fprintf(stderr, " %d: %s\n", c->id, c->name);
667 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
677 meth=SSLv23_method();
679 #ifdef OPENSSL_NO_SSL2
686 c_ctx=SSL_CTX_new(meth);
687 s_ctx=SSL_CTX_new(meth);
688 if ((c_ctx == NULL) || (s_ctx == NULL))
690 ERR_print_errors(bio_err);
696 SSL_CTX_set_cipher_list(c_ctx,cipher);
697 SSL_CTX_set_cipher_list(s_ctx,cipher);
700 #ifndef OPENSSL_NO_DH
705 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
706 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
713 SSL_CTX_set_tmp_dh(s_ctx,dh);
720 #ifndef OPENSSL_NO_ECDH
725 if (named_curve != NULL)
727 nid = OBJ_sn2nid(named_curve);
730 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
737 ecdh = EC_KEY_new_by_curve_name(nid);
740 BIO_printf(bio_err, "unable to create curve\n");
744 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
745 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
752 #ifndef OPENSSL_NO_RSA
753 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
756 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
758 ERR_print_errors(bio_err);
760 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
761 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
763 ERR_print_errors(bio_err);
769 SSL_CTX_use_certificate_file(c_ctx,client_cert,
771 SSL_CTX_use_PrivateKey_file(c_ctx,
772 (client_key?client_key:client_cert),
776 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
777 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
778 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
779 (!SSL_CTX_set_default_verify_paths(c_ctx)))
781 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
782 ERR_print_errors(bio_err);
788 BIO_printf(bio_err,"client authentication\n");
789 SSL_CTX_set_verify(s_ctx,
790 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
792 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
796 BIO_printf(bio_err,"server authentication\n");
797 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
799 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
803 int session_id_context = 0;
804 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
807 c_ssl=SSL_new(c_ctx);
808 s_ssl=SSL_new(s_ctx);
810 #ifndef OPENSSL_NO_KRB5
811 if (c_ssl && c_ssl->kssl_ctx)
813 char localhost[MAXHOSTNAMELEN+2];
815 if (gethostname(localhost, sizeof localhost-1) == 0)
817 localhost[sizeof localhost-1]='\0';
818 if(strlen(localhost) == sizeof localhost-1)
820 BIO_printf(bio_err,"localhost name too long\n");
823 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
827 #endif /* OPENSSL_NO_KRB5 */
829 for (i=0; i<number; i++)
831 if (!reuse) SSL_set_session(c_ssl,NULL);
833 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
835 ret=doit(s_ssl,c_ssl,bytes);
840 print_details(c_ssl, "");
842 if ((number > 1) || (bytes > 1L))
843 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
846 #ifdef CLOCKS_PER_SEC
847 /* "To determine the time in seconds, the value returned
848 * by the clock function should be divided by the value
849 * of the macro CLOCKS_PER_SEC."
851 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
852 "Approximate total client time: %6.2f s\n",
853 (double)s_time/CLOCKS_PER_SEC,
854 (double)c_time/CLOCKS_PER_SEC);
856 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
857 * -- cc on NeXTstep/OpenStep */
858 BIO_printf(bio_stdout,
859 "Approximate total server time: %6.2f units\n"
860 "Approximate total client time: %6.2f units\n",
870 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
871 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
873 if (bio_stdout != NULL) BIO_free(bio_stdout);
875 #ifndef OPENSSL_NO_RSA
878 #ifndef OPENSSL_NO_ENGINE
881 CRYPTO_cleanup_all_ex_data();
885 CRYPTO_mem_leaks(bio_err);
886 if (bio_err != NULL) BIO_free(bio_err);
890 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
891 clock_t *s_time, clock_t *c_time)
893 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
894 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
895 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
898 size_t bufsiz = 256; /* small buffer for testing */
900 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
902 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
905 s_ssl_bio = BIO_new(BIO_f_ssl());
909 c_ssl_bio = BIO_new(BIO_f_ssl());
913 SSL_set_connect_state(c_ssl);
914 SSL_set_bio(c_ssl, client, client);
915 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
917 SSL_set_accept_state(s_ssl);
918 SSL_set_bio(s_ssl, server, server);
919 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
923 /* c_ssl_bio: SSL filter BIO
925 * client: pseudo-I/O for SSL library
927 * client_io: client's SSL communication; usually to be
928 * relayed over some I/O facility, but in this
929 * test program, we're the server, too:
931 * server_io: server's SSL communication
933 * server: pseudo-I/O for SSL library
935 * s_ssl_bio: SSL filter BIO
937 * The client and the server each employ a "BIO pair":
938 * client + client_io, server + server_io.
939 * BIO pairs are symmetric. A BIO pair behaves similar
940 * to a non-blocking socketpair (but both endpoints must
941 * be handled by the same thread).
942 * [Here we could connect client and server to the ends
943 * of a single BIO pair, but then this code would be less
944 * suitable as an example for BIO pairs in general.]
946 * Useful functions for querying the state of BIO pair endpoints:
948 * BIO_ctrl_pending(bio) number of bytes we can read now
949 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
950 * other side's read attempt
951 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
953 * ..._read_request is never more than ..._write_guarantee;
954 * it depends on the application which one you should use.
957 /* We have non-blocking behaviour throughout this test program, but
958 * can be sure that there is *some* progress in each iteration; so
959 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
960 * -- we just try everything in each iteration
966 MS_STATIC char cbuf[1024*8];
968 clock_t c_clock = clock();
970 memset(cbuf, 0, sizeof(cbuf));
973 if (SSL_in_init(c_ssl))
974 printf("client waiting in SSL_connect - %s\n",
975 SSL_state_string_long(c_ssl));
979 /* Write to server. */
981 if (cw_num > (long)sizeof cbuf)
985 r = BIO_write(c_ssl_bio, cbuf, i);
988 if (!BIO_should_retry(c_ssl_bio))
990 fprintf(stderr,"ERROR in CLIENT\n");
993 /* BIO_should_retry(...) can just be ignored here.
994 * The library expects us to call BIO_write with
995 * the same arguments again, and that's what we will
996 * do in the next iteration. */
1000 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1006 printf("client wrote %d\n", r);
1013 /* Read from server. */
1015 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1018 if (!BIO_should_retry(c_ssl_bio))
1020 fprintf(stderr,"ERROR in CLIENT\n");
1023 /* Again, "BIO_should_retry" can be ignored. */
1027 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1033 printf("client read %d\n", r);
1038 /* c_time and s_time increments will typically be very small
1039 * (depending on machine speed and clock tick intervals),
1040 * but sampling over a large number of connections should
1041 * result in fairly accurate figures. We cannot guarantee
1042 * a lot, however -- if each connection lasts for exactly
1043 * one clock tick, it will be counted only for the client
1044 * or only for the server or even not at all.
1046 *c_time += (clock() - c_clock);
1052 MS_STATIC char sbuf[1024*8];
1054 clock_t s_clock = clock();
1056 memset(sbuf, 0, sizeof(sbuf));
1059 if (SSL_in_init(s_ssl))
1060 printf("server waiting in SSL_accept - %s\n",
1061 SSL_state_string_long(s_ssl));
1065 /* Write to client. */
1067 if (sw_num > (long)sizeof sbuf)
1071 r = BIO_write(s_ssl_bio, sbuf, i);
1074 if (!BIO_should_retry(s_ssl_bio))
1076 fprintf(stderr,"ERROR in SERVER\n");
1079 /* Ignore "BIO_should_retry". */
1083 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1089 printf("server wrote %d\n", r);
1096 /* Read from client. */
1098 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1101 if (!BIO_should_retry(s_ssl_bio))
1103 fprintf(stderr,"ERROR in SERVER\n");
1110 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1116 printf("server read %d\n", r);
1121 *s_time += (clock() - s_clock);
1125 /* "I/O" BETWEEN CLIENT AND SERVER. */
1128 BIO *io1 = server_io, *io2 = client_io;
1129 /* we use the non-copying interface for io1
1130 * and the standard BIO_write/BIO_read interface for io2
1133 static int prev_progress = 1;
1142 r1 = BIO_ctrl_pending(io1);
1143 r2 = BIO_ctrl_get_write_guarantee(io2);
1152 if (INT_MAX < num) /* yeah, right */
1155 r = BIO_nread(io1, &dataptr, (int)num);
1157 assert(r <= (int)num);
1158 /* possibly r < num (non-contiguous data) */
1160 r = BIO_write(io2, dataptr, (int)num);
1161 if (r != (int)num) /* can't happen */
1163 fprintf(stderr, "ERROR: BIO_write could not write "
1164 "BIO_ctrl_get_write_guarantee() bytes");
1170 printf((io1 == client_io) ?
1171 "C->S relaying: %d bytes\n" :
1172 "S->C relaying: %d bytes\n",
1183 r1 = BIO_ctrl_pending(io2);
1184 r2 = BIO_ctrl_get_read_request(io1);
1185 /* here we could use ..._get_write_guarantee instead of
1186 * ..._get_read_request, but by using the latter
1187 * we test restartability of the SSL implementation
1188 * more thoroughly */
1200 --num; /* test restartability even more thoroughly */
1202 r = BIO_nwrite0(io1, &dataptr);
1206 r = BIO_read(io2, dataptr, (int)num);
1207 if (r != (int)num) /* can't happen */
1209 fprintf(stderr, "ERROR: BIO_read could not read "
1210 "BIO_ctrl_pending() bytes");
1214 r = BIO_nwrite(io1, &dataptr, (int)num);
1215 if (r != (int)num) /* can't happen */
1217 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1218 "BIO_nwrite0() bytes");
1223 printf((io2 == client_io) ?
1224 "C->S relaying: %d bytes\n" :
1225 "S->C relaying: %d bytes\n",
1228 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1230 if (!progress && !prev_progress)
1231 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1233 fprintf(stderr, "ERROR: got stuck\n");
1234 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1236 fprintf(stderr, "This can happen for SSL2 because "
1237 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1238 "concurrently ...");
1239 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1240 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1242 fprintf(stderr, " ok.\n");
1246 fprintf(stderr, " ERROR.\n");
1249 prev_progress = progress;
1252 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1255 print_details(c_ssl, "DONE via BIO pair: ");
1260 ERR_print_errors(bio_err);
1265 BIO_free(server_io);
1269 BIO_free(client_io);
1271 BIO_free(s_ssl_bio);
1273 BIO_free(c_ssl_bio);
1284 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1286 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1287 long cw_num=count,cr_num=count;
1288 long sw_num=count,sr_num=count;
1294 int c_r,c_w,s_r,s_w;
1298 int c_write,s_write;
1299 int do_server=0,do_client=0;
1301 memset(cbuf,0,sizeof(cbuf));
1302 memset(sbuf,0,sizeof(sbuf));
1304 c_to_s=BIO_new(BIO_s_mem());
1305 s_to_c=BIO_new(BIO_s_mem());
1306 if ((s_to_c == NULL) || (c_to_s == NULL))
1308 ERR_print_errors(bio_err);
1312 c_bio=BIO_new(BIO_f_ssl());
1313 s_bio=BIO_new(BIO_f_ssl());
1314 if ((c_bio == NULL) || (s_bio == NULL))
1316 ERR_print_errors(bio_err);
1320 SSL_set_connect_state(c_ssl);
1321 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1322 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1324 SSL_set_accept_state(s_ssl);
1325 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1326 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1332 c_write=1,s_write=0;
1334 /* We can always do writes */
1340 i=(int)BIO_pending(s_bio);
1341 if ((i && s_r) || s_w) do_server=1;
1343 i=(int)BIO_pending(c_bio);
1344 if ((i && c_r) || c_w) do_client=1;
1346 if (do_server && debug)
1348 if (SSL_in_init(s_ssl))
1349 printf("server waiting in SSL_accept - %s\n",
1350 SSL_state_string_long(s_ssl));
1351 /* else if (s_write)
1352 printf("server:SSL_write()\n");
1354 printf("server:SSL_read()\n"); */
1357 if (do_client && debug)
1359 if (SSL_in_init(c_ssl))
1360 printf("client waiting in SSL_connect - %s\n",
1361 SSL_state_string_long(c_ssl));
1362 /* else if (c_write)
1363 printf("client:SSL_write()\n");
1365 printf("client:SSL_read()\n"); */
1368 if (!do_client && !do_server)
1370 fprintf(stdout,"ERROR IN STARTUP\n");
1371 ERR_print_errors(bio_err);
1374 if (do_client && !(done & C_DONE))
1378 j = (cw_num > (long)sizeof(cbuf)) ?
1379 (int)sizeof(cbuf) : (int)cw_num;
1380 i=BIO_write(c_bio,cbuf,j);
1385 if (BIO_should_retry(c_bio))
1387 if (BIO_should_read(c_bio))
1389 if (BIO_should_write(c_bio))
1394 fprintf(stderr,"ERROR in CLIENT\n");
1395 ERR_print_errors(bio_err);
1401 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1407 printf("client wrote %d\n",i);
1416 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1421 if (BIO_should_retry(c_bio))
1423 if (BIO_should_read(c_bio))
1425 if (BIO_should_write(c_bio))
1430 fprintf(stderr,"ERROR in CLIENT\n");
1431 ERR_print_errors(bio_err);
1437 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1443 printf("client read %d\n",i);
1460 if (do_server && !(done & S_DONE))
1464 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1469 if (BIO_should_retry(s_bio))
1471 if (BIO_should_read(s_bio))
1473 if (BIO_should_write(s_bio))
1478 fprintf(stderr,"ERROR in SERVER\n");
1479 ERR_print_errors(bio_err);
1485 ERR_print_errors(bio_err);
1486 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1492 printf("server read %d\n",i);
1509 j = (sw_num > (long)sizeof(sbuf)) ?
1510 (int)sizeof(sbuf) : (int)sw_num;
1511 i=BIO_write(s_bio,sbuf,j);
1516 if (BIO_should_retry(s_bio))
1518 if (BIO_should_read(s_bio))
1520 if (BIO_should_write(s_bio))
1525 fprintf(stderr,"ERROR in SERVER\n");
1526 ERR_print_errors(bio_err);
1532 ERR_print_errors(bio_err);
1533 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1539 printf("server wrote %d\n",i);
1549 if ((done & S_DONE) && (done & C_DONE)) break;
1553 print_details(c_ssl, "DONE: ");
1556 /* We have to set the BIO's to NULL otherwise they will be
1557 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1558 * again when c_ssl is SSL_free()ed.
1559 * This is a hack required because s_ssl and c_ssl are sharing the same
1560 * BIO structure and SSL_set_bio() and SSL_free() automatically
1561 * BIO_free non NULL entries.
1562 * You should not normally do this or be required to do this */
1574 if (c_to_s != NULL) BIO_free(c_to_s);
1575 if (s_to_c != NULL) BIO_free(s_to_c);
1576 if (c_bio != NULL) BIO_free_all(c_bio);
1577 if (s_bio != NULL) BIO_free_all(s_bio);
1581 static int get_proxy_auth_ex_data_idx(void)
1583 static volatile int idx = -1;
1586 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1589 idx = X509_STORE_CTX_get_ex_new_index(0,
1590 "SSLtest for verify callback", NULL,NULL,NULL);
1592 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1597 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1601 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1606 fprintf(stderr,"depth=%d %s\n",
1607 ctx->error_depth,buf);
1610 fprintf(stderr,"depth=%d error=%d %s\n",
1611 ctx->error_depth,ctx->error,buf);
1617 fprintf(stderr,"Error string: %s\n",
1618 X509_verify_cert_error_string(ctx->error));
1621 case X509_V_ERR_CERT_NOT_YET_VALID:
1622 case X509_V_ERR_CERT_HAS_EXPIRED:
1623 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1624 fprintf(stderr," ... ignored.\n");
1631 X509 *xs = ctx->current_cert;
1633 X509 *xi = ctx->current_issuer;
1636 if (xs->ex_flags & EXFLAG_PROXY)
1638 unsigned int *letters =
1639 X509_STORE_CTX_get_ex_data(ctx,
1640 get_proxy_auth_ex_data_idx());
1646 PROXY_CERT_INFO_EXTENSION *pci =
1647 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1650 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1652 case NID_Independent:
1653 /* Completely meaningless in this
1654 program, as there's no way to
1655 grant explicit rights to a
1656 specific PrC. Basically, using
1657 id-ppl-Independent is the perfect
1658 way to grant no rights at all. */
1659 fprintf(stderr, " Independent proxy certificate");
1660 for (i = 0; i < 26; i++)
1663 case NID_id_ppl_inheritAll:
1664 /* This is basically a NOP, we
1665 simply let the current rights
1666 stand as they are. */
1667 fprintf(stderr, " Proxy certificate inherits all");
1671 pci->proxyPolicy->policy->data;
1672 i = pci->proxyPolicy->policy->length;
1674 /* The algorithm works as follows:
1675 it is assumed that previous
1676 iterations or the initial granted
1677 rights has already set some elements
1678 of `letters'. What we need to do is
1679 to clear those that weren't granted
1680 by the current PrC as well. The
1681 easiest way to do this is to add 1
1682 to all the elements whose letters
1683 are given with the current policy.
1684 That way, all elements that are set
1685 by the current policy and were
1686 already set by earlier policies and
1687 through the original grant of rights
1688 will get the value 2 or higher.
1689 The last thing to do is to sweep
1690 through `letters' and keep the
1691 elements having the value 2 as set,
1692 and clear all the others. */
1694 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1698 if (isascii(c) && isalpha(c))
1705 for (i = 0; i < 26; i++)
1714 ", resulting proxy rights = ");
1715 for(i = 0; i < 26; i++)
1718 fprintf(stderr, "%c", i + 'A');
1722 fprintf(stderr, "none");
1723 fprintf(stderr, "\n");
1725 PROXY_CERT_INFO_EXTENSION_free(pci);
1733 static void process_proxy_debug(int indent, const char *format, ...)
1735 static const char indentation[] =
1736 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1737 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1738 char my_format[256];
1741 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1742 indent, indent, indentation, format);
1744 va_start(args, format);
1745 vfprintf(stderr, my_format, args);
1753 static int process_proxy_cond_adders(unsigned int letters[26],
1754 const char *cond, const char **cond_end, int *pos, int indent);
1755 static int process_proxy_cond_val(unsigned int letters[26],
1756 const char *cond, const char **cond_end, int *pos, int indent)
1762 while(isspace(*cond))
1769 process_proxy_debug(indent,
1770 "Start process_proxy_cond_val at position %d: %s\n",
1777 while(isspace(*cond))
1787 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1792 while(isspace(*cond))
1800 "Weird condition character in position %d: "
1807 else if (isascii(c) && isalpha(c))
1811 ok = letters[c - 'A'];
1817 "Weird condition character in position %d: "
1824 if (ok >= 0 && negate)
1828 process_proxy_debug(indent,
1829 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1834 static int process_proxy_cond_multipliers(unsigned int letters[26],
1835 const char *cond, const char **cond_end, int *pos, int indent)
1841 process_proxy_debug(indent,
1842 "Start process_proxy_cond_multipliers at position %d: %s\n",
1845 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1852 while(isspace(*cond))
1866 ok = process_proxy_cond_val(letters,
1867 cond, cond_end, pos, indent + 1);
1881 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1893 process_proxy_debug(indent,
1894 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1900 static int process_proxy_cond_adders(unsigned int letters[26],
1901 const char *cond, const char **cond_end, int *pos, int indent)
1907 process_proxy_debug(indent,
1908 "Start process_proxy_cond_adders at position %d: %s\n",
1911 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1919 while(isspace(*cond))
1932 ok = process_proxy_cond_multipliers(letters,
1933 cond, cond_end, pos, indent + 1);
1944 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1956 process_proxy_debug(indent,
1957 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1964 static int process_proxy_cond(unsigned int letters[26],
1965 const char *cond, const char **cond_end)
1968 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1971 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
1974 struct app_verify_arg *cb_arg = arg;
1975 unsigned int letters[26]; /* only used with proxy_auth */
1977 if (cb_arg->app_verify)
1979 char *s = NULL,buf[256];
1981 fprintf(stderr, "In app_verify_callback, allowing cert. ");
1982 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
1983 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
1984 (void *)ctx, (void *)ctx->cert);
1986 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1989 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
1993 if (cb_arg->proxy_auth)
1995 int found_any = 0, i;
1998 for(i = 0; i < 26; i++)
2000 for(sp = cb_arg->proxy_auth; *sp; sp++)
2003 if (isascii(c) && isalpha(c))
2007 letters[c - 'A'] = 1;
2012 " Initial proxy rights = ");
2013 for(i = 0; i < 26; i++)
2016 fprintf(stderr, "%c", i + 'A');
2020 fprintf(stderr, "none");
2021 fprintf(stderr, "\n");
2023 X509_STORE_CTX_set_ex_data(ctx,
2024 get_proxy_auth_ex_data_idx(),letters);
2026 if (cb_arg->allow_proxy_certs)
2028 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2031 #ifndef OPENSSL_NO_X509_VERIFY
2032 # ifdef OPENSSL_FIPS
2033 if(s->version == TLS1_VERSION)
2036 ok = X509_verify_cert(ctx);
2037 # ifdef OPENSSL_FIPS
2038 if(s->version == TLS1_VERSION)
2043 if (cb_arg->proxy_auth)
2047 const char *cond_end = NULL;
2049 ok = process_proxy_cond(letters,
2050 cb_arg->proxy_cond, &cond_end);
2056 fprintf(stderr, "Stopped processing condition before it's end.\n");
2060 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2061 cb_arg->proxy_cond);
2063 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2064 cb_arg->proxy_cond);
2070 #ifndef OPENSSL_NO_RSA
2071 static RSA *rsa_tmp=NULL;
2073 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2076 if (rsa_tmp == NULL)
2079 rsa_tmp = RSA_new();
2080 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2082 BIO_printf(bio_err, "Memory error...");
2085 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2086 (void)BIO_flush(bio_err);
2087 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2089 BIO_printf(bio_err, "Error generating key.");
2094 BIO_printf(bio_err,"\n");
2095 (void)BIO_flush(bio_err);
2101 static void free_tmp_rsa(void)
2103 if (rsa_tmp != NULL)
2111 #ifndef OPENSSL_NO_DH
2112 /* These DH parameters have been generated as follows:
2113 * $ openssl dhparam -C -noout 512
2114 * $ openssl dhparam -C -noout 1024
2115 * $ openssl dhparam -C -noout -dsaparam 1024
2116 * (The third function has been renamed to avoid name conflicts.)
2118 static DH *get_dh512()
2120 static unsigned char dh512_p[]={
2121 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2122 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2123 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2124 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2125 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2126 0x02,0xC5,0xAE,0x23,
2128 static unsigned char dh512_g[]={
2133 if ((dh=DH_new()) == NULL) return(NULL);
2134 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2135 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2136 if ((dh->p == NULL) || (dh->g == NULL))
2137 { DH_free(dh); return(NULL); }
2141 static DH *get_dh1024()
2143 static unsigned char dh1024_p[]={
2144 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2145 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2146 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2147 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2148 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2149 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2150 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2151 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2152 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2153 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2154 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2156 static unsigned char dh1024_g[]={
2161 if ((dh=DH_new()) == NULL) return(NULL);
2162 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2163 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2164 if ((dh->p == NULL) || (dh->g == NULL))
2165 { DH_free(dh); return(NULL); }
2169 static DH *get_dh1024dsa()
2171 static unsigned char dh1024_p[]={
2172 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2173 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2174 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2175 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2176 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2177 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2178 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2179 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2180 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2181 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2182 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2184 static unsigned char dh1024_g[]={
2185 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2186 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2187 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2188 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2189 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2190 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2191 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2192 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2193 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2194 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2195 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2199 if ((dh=DH_new()) == NULL) return(NULL);
2200 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2201 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2202 if ((dh->p == NULL) || (dh->g == NULL))
2203 { DH_free(dh); return(NULL); }