2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
131 #define _XOPEN_SOURCE 1 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #include <openssl/rsa.h>
147 #include <openssl/dsa.h>
148 #include <openssl/dh.h>
149 #include <openssl/bn.h>
151 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
152 on Compaq platforms (at least with DEC C).
153 Do not try to put it earlier, or IPv6 includes
157 #ifdef OPENSSL_SYS_WINDOWS
160 #include OPENSSL_UNISTD
163 #ifdef OPENSSL_SYS_VMS
164 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
165 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
166 #elif defined(OPENSSL_SYS_WINCE)
167 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
168 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
169 #elif defined(OPENSSL_SYS_NETWARE)
170 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
171 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
173 # define TEST_SERVER_CERT "../apps/server.pem"
174 # define TEST_CLIENT_CERT "../apps/client.pem"
177 /* There is really no standard for this, so let's assign some tentative
178 numbers. In any case, these numbers are only for this test */
182 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
183 #ifndef OPENSSL_NO_RSA
184 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
185 static void free_tmp_rsa(void);
187 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
188 #define APP_CALLBACK_STRING "Test Callback Argument"
189 struct app_verify_arg
197 #ifndef OPENSSL_NO_DH
198 static DH *get_dh512(void);
199 static DH *get_dh1024(void);
200 static DH *get_dh1024dsa(void);
203 static BIO *bio_err=NULL;
204 static BIO *bio_stdout=NULL;
206 static char *cipher=NULL;
207 static int verbose=0;
216 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
218 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
219 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
220 static void sv_usage(void)
222 fprintf(stderr,"usage: ssltest [args ...]\n");
223 fprintf(stderr,"\n");
224 fprintf(stderr," -server_auth - check server certificate\n");
225 fprintf(stderr," -client_auth - do client authentication\n");
226 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
227 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
228 fprintf(stderr," -v - more output\n");
229 fprintf(stderr," -d - debug output\n");
230 fprintf(stderr," -reuse - use session-id reuse\n");
231 fprintf(stderr," -num <val> - number of connections to perform\n");
232 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
233 #ifndef OPENSSL_NO_DH
234 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
235 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
236 fprintf(stderr," -no_dhe - disable DHE\n");
238 #ifndef OPENSSL_NO_ECDH
239 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
241 #ifndef OPENSSL_NO_SSL2
242 fprintf(stderr," -ssl2 - use SSLv2\n");
244 #ifndef OPENSSL_NO_SSL3
245 fprintf(stderr," -ssl3 - use SSLv3\n");
247 #ifndef OPENSSL_NO_TLS1
248 fprintf(stderr," -tls1 - use TLSv1\n");
250 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
251 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
252 fprintf(stderr," -cert arg - Server certificate file\n");
253 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
254 fprintf(stderr," -c_cert arg - Client certificate file\n");
255 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
256 fprintf(stderr," -cipher arg - The cipher list\n");
257 fprintf(stderr," -bio_pair - Use BIO pairs\n");
258 fprintf(stderr," -f - Test even cases that can't work\n");
259 fprintf(stderr," -time - measure processor time used by client and server\n");
260 fprintf(stderr," -zlib - use zlib compression\n");
261 fprintf(stderr," -rle - use rle compression\n");
262 #ifndef OPENSSL_NO_ECDH
263 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
264 " Use \"openssl ecparam -list_curves\" for all names\n" \
265 " (default is sect163r2).\n");
269 static void print_details(SSL *c_ssl, const char *prefix)
274 ciph=SSL_get_current_cipher(c_ssl);
275 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
277 SSL_get_version(c_ssl),
278 SSL_CIPHER_get_version(ciph),
279 SSL_CIPHER_get_name(ciph));
280 cert=SSL_get_peer_certificate(c_ssl);
283 EVP_PKEY *pkey = X509_get_pubkey(cert);
288 #ifndef OPENSSL_NO_RSA
289 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
290 && pkey->pkey.rsa->n != NULL)
292 BIO_printf(bio_stdout, ", %d bit RSA",
293 BN_num_bits(pkey->pkey.rsa->n));
296 #ifndef OPENSSL_NO_DSA
297 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
298 && pkey->pkey.dsa->p != NULL)
300 BIO_printf(bio_stdout, ", %d bit DSA",
301 BN_num_bits(pkey->pkey.dsa->p));
308 /* The SSL API does not allow us to look at temporary RSA/DH keys,
309 * otherwise we should print their lengths too */
310 BIO_printf(bio_stdout,"\n");
313 static void lock_dbg_cb(int mode, int type, const char *file, int line)
315 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
316 const char *errstr = NULL;
319 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
320 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
322 errstr = "invalid mode";
326 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
328 errstr = "type out of bounds";
332 if (mode & CRYPTO_LOCK)
336 errstr = "already locked";
337 /* must not happen in a single-threaded program
338 * (would deadlock) */
344 else if (mode & CRYPTO_UNLOCK)
348 errstr = "not locked";
352 if (modes[type] != rw)
354 errstr = (rw == CRYPTO_READ) ?
355 "CRYPTO_r_unlock on write lock" :
356 "CRYPTO_w_unlock on read lock";
363 errstr = "invalid mode";
370 /* we cannot use bio_err here */
371 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
372 errstr, mode, type, file, line);
376 int main(int argc, char *argv[])
378 char *CApath=NULL,*CAfile=NULL;
382 int tls1=0,ssl2=0,ssl3=0,ret=1;
385 struct app_verify_arg app_verify_arg =
386 { APP_CALLBACK_STRING, 0, NULL, NULL };
387 char *server_cert=TEST_SERVER_CERT;
388 char *server_key=NULL;
389 char *client_cert=TEST_CLIENT_CERT;
390 char *client_key=NULL;
391 char *named_curve = NULL;
394 SSL_METHOD *meth=NULL;
396 int number=1,reuse=0;
398 #ifndef OPENSSL_NO_DH
400 int dhe1024 = 0, dhe1024dsa = 0;
402 #ifndef OPENSSL_NO_ECDH
408 clock_t s_time = 0, c_time = 0;
410 COMP_METHOD *cm = NULL;
411 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
417 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
419 CRYPTO_set_locking_callback(lock_dbg_cb);
421 /* enable memory leak checking unless explicitly disabled */
422 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
424 CRYPTO_malloc_debug_init();
425 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
429 /* OPENSSL_DEBUG_MEMORY=off */
430 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
432 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
434 RAND_seed(rnd_seed, sizeof rnd_seed);
436 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
443 if (strcmp(*argv,"-server_auth") == 0)
445 else if (strcmp(*argv,"-client_auth") == 0)
447 else if (strcmp(*argv,"-proxy_auth") == 0)
449 if (--argc < 1) goto bad;
450 app_verify_arg.proxy_auth= *(++argv);
452 else if (strcmp(*argv,"-proxy_cond") == 0)
454 if (--argc < 1) goto bad;
455 app_verify_arg.proxy_cond= *(++argv);
457 else if (strcmp(*argv,"-v") == 0)
459 else if (strcmp(*argv,"-d") == 0)
461 else if (strcmp(*argv,"-reuse") == 0)
463 else if (strcmp(*argv,"-dhe1024") == 0)
465 #ifndef OPENSSL_NO_DH
468 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
471 else if (strcmp(*argv,"-dhe1024dsa") == 0)
473 #ifndef OPENSSL_NO_DH
476 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
479 else if (strcmp(*argv,"-no_dhe") == 0)
481 else if (strcmp(*argv,"-no_ecdhe") == 0)
483 else if (strcmp(*argv,"-ssl2") == 0)
485 else if (strcmp(*argv,"-tls1") == 0)
487 else if (strcmp(*argv,"-ssl3") == 0)
489 else if (strncmp(*argv,"-num",4) == 0)
491 if (--argc < 1) goto bad;
492 number= atoi(*(++argv));
493 if (number == 0) number=1;
495 else if (strcmp(*argv,"-bytes") == 0)
497 if (--argc < 1) goto bad;
498 bytes= atol(*(++argv));
499 if (bytes == 0L) bytes=1L;
501 if (argv[0][i-1] == 'k') bytes*=1024L;
502 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
504 else if (strcmp(*argv,"-cert") == 0)
506 if (--argc < 1) goto bad;
507 server_cert= *(++argv);
509 else if (strcmp(*argv,"-s_cert") == 0)
511 if (--argc < 1) goto bad;
512 server_cert= *(++argv);
514 else if (strcmp(*argv,"-key") == 0)
516 if (--argc < 1) goto bad;
517 server_key= *(++argv);
519 else if (strcmp(*argv,"-s_key") == 0)
521 if (--argc < 1) goto bad;
522 server_key= *(++argv);
524 else if (strcmp(*argv,"-c_cert") == 0)
526 if (--argc < 1) goto bad;
527 client_cert= *(++argv);
529 else if (strcmp(*argv,"-c_key") == 0)
531 if (--argc < 1) goto bad;
532 client_key= *(++argv);
534 else if (strcmp(*argv,"-cipher") == 0)
536 if (--argc < 1) goto bad;
539 else if (strcmp(*argv,"-CApath") == 0)
541 if (--argc < 1) goto bad;
544 else if (strcmp(*argv,"-CAfile") == 0)
546 if (--argc < 1) goto bad;
549 else if (strcmp(*argv,"-bio_pair") == 0)
553 else if (strcmp(*argv,"-f") == 0)
557 else if (strcmp(*argv,"-time") == 0)
561 else if (strcmp(*argv,"-zlib") == 0)
565 else if (strcmp(*argv,"-rle") == 0)
569 else if (strcmp(*argv,"-named_curve") == 0)
571 if (--argc < 1) goto bad;
572 #ifndef OPENSSL_NO_ECDH
573 named_curve = *(++argv);
575 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
579 else if (strcmp(*argv,"-app_verify") == 0)
581 app_verify_arg.app_verify = 1;
585 fprintf(stderr,"unknown option %s\n",*argv);
599 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
601 fprintf(stderr, "This case cannot work. Use -f to perform "
602 "the test anyway (and\n-d to see what happens), "
603 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
604 "to avoid protocol mismatch.\n");
612 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
615 if (number < 50 && !force)
616 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
619 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
622 SSL_load_error_strings();
624 if (comp == COMP_ZLIB) cm = COMP_zlib();
625 if (comp == COMP_RLE) cm = COMP_rle();
628 if (cm->type != NID_undef)
630 if (SSL_COMP_add_compression_method(comp, cm) != 0)
633 "Failed to add compression method\n");
634 ERR_print_errors_fp(stderr);
640 "Warning: %s compression not supported\n",
641 (comp == COMP_RLE ? "rle" :
642 (comp == COMP_ZLIB ? "zlib" :
644 ERR_print_errors_fp(stderr);
647 ssl_comp_methods = SSL_COMP_get_compression_methods();
648 fprintf(stderr, "Available compression methods:\n");
650 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
652 fprintf(stderr, " NONE\n");
654 for (j = 0; j < n; j++)
656 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
657 fprintf(stderr, " %d: %s\n", c->id, c->name);
661 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
671 meth=SSLv23_method();
673 #ifdef OPENSSL_NO_SSL2
680 c_ctx=SSL_CTX_new(meth);
681 s_ctx=SSL_CTX_new(meth);
682 if ((c_ctx == NULL) || (s_ctx == NULL))
684 ERR_print_errors(bio_err);
690 SSL_CTX_set_cipher_list(c_ctx,cipher);
691 SSL_CTX_set_cipher_list(s_ctx,cipher);
694 #ifndef OPENSSL_NO_DH
699 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
700 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
707 SSL_CTX_set_tmp_dh(s_ctx,dh);
714 #ifndef OPENSSL_NO_ECDH
722 int nid = OBJ_sn2nid(named_curve);
726 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
731 ecdh->group = EC_GROUP_new_by_nid(nid);
732 if (ecdh->group == NULL)
734 BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
740 if (ecdh->group == NULL)
741 ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2);
743 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
744 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
752 #ifndef OPENSSL_NO_RSA
753 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
756 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
758 ERR_print_errors(bio_err);
760 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
761 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
763 ERR_print_errors(bio_err);
769 SSL_CTX_use_certificate_file(c_ctx,client_cert,
771 SSL_CTX_use_PrivateKey_file(c_ctx,
772 (client_key?client_key:client_cert),
776 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
777 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
778 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
779 (!SSL_CTX_set_default_verify_paths(c_ctx)))
781 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
782 ERR_print_errors(bio_err);
788 BIO_printf(bio_err,"client authentication\n");
789 SSL_CTX_set_verify(s_ctx,
790 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
792 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
796 BIO_printf(bio_err,"server authentication\n");
797 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
799 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
803 int session_id_context = 0;
804 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
807 c_ssl=SSL_new(c_ctx);
808 s_ssl=SSL_new(s_ctx);
810 #ifndef OPENSSL_NO_KRB5
811 if (c_ssl && c_ssl->kssl_ctx)
813 char localhost[MAXHOSTNAMELEN+2];
815 if (gethostname(localhost, sizeof localhost-1) == 0)
817 localhost[sizeof localhost-1]='\0';
818 if(strlen(localhost) == sizeof localhost-1)
820 BIO_printf(bio_err,"localhost name too long\n");
823 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
827 #endif /* OPENSSL_NO_KRB5 */
829 for (i=0; i<number; i++)
831 if (!reuse) SSL_set_session(c_ssl,NULL);
833 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
835 ret=doit(s_ssl,c_ssl,bytes);
840 print_details(c_ssl, "");
842 if ((number > 1) || (bytes > 1L))
843 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
846 #ifdef CLOCKS_PER_SEC
847 /* "To determine the time in seconds, the value returned
848 * by the clock function should be divided by the value
849 * of the macro CLOCKS_PER_SEC."
851 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
852 "Approximate total client time: %6.2f s\n",
853 (double)s_time/CLOCKS_PER_SEC,
854 (double)c_time/CLOCKS_PER_SEC);
856 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
857 * -- cc on NeXTstep/OpenStep */
858 BIO_printf(bio_stdout,
859 "Approximate total server time: %6.2f units\n"
860 "Approximate total client time: %6.2f units\n",
870 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
871 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
873 if (bio_stdout != NULL) BIO_free(bio_stdout);
875 #ifndef OPENSSL_NO_RSA
878 #ifndef OPENSSL_NO_ENGINE
881 CRYPTO_cleanup_all_ex_data();
885 CRYPTO_mem_leaks(bio_err);
886 if (bio_err != NULL) BIO_free(bio_err);
890 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
891 clock_t *s_time, clock_t *c_time)
893 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
894 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
895 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
898 size_t bufsiz = 256; /* small buffer for testing */
900 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
902 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
905 s_ssl_bio = BIO_new(BIO_f_ssl());
909 c_ssl_bio = BIO_new(BIO_f_ssl());
913 SSL_set_connect_state(c_ssl);
914 SSL_set_bio(c_ssl, client, client);
915 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
917 SSL_set_accept_state(s_ssl);
918 SSL_set_bio(s_ssl, server, server);
919 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
923 /* c_ssl_bio: SSL filter BIO
925 * client: pseudo-I/O for SSL library
927 * client_io: client's SSL communication; usually to be
928 * relayed over some I/O facility, but in this
929 * test program, we're the server, too:
931 * server_io: server's SSL communication
933 * server: pseudo-I/O for SSL library
935 * s_ssl_bio: SSL filter BIO
937 * The client and the server each employ a "BIO pair":
938 * client + client_io, server + server_io.
939 * BIO pairs are symmetric. A BIO pair behaves similar
940 * to a non-blocking socketpair (but both endpoints must
941 * be handled by the same thread).
942 * [Here we could connect client and server to the ends
943 * of a single BIO pair, but then this code would be less
944 * suitable as an example for BIO pairs in general.]
946 * Useful functions for querying the state of BIO pair endpoints:
948 * BIO_ctrl_pending(bio) number of bytes we can read now
949 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
950 * other side's read attempt
951 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
953 * ..._read_request is never more than ..._write_guarantee;
954 * it depends on the application which one you should use.
957 /* We have non-blocking behaviour throughout this test program, but
958 * can be sure that there is *some* progress in each iteration; so
959 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
960 * -- we just try everything in each iteration
966 MS_STATIC char cbuf[1024*8];
968 clock_t c_clock = clock();
970 memset(cbuf, 0, sizeof(cbuf));
973 if (SSL_in_init(c_ssl))
974 printf("client waiting in SSL_connect - %s\n",
975 SSL_state_string_long(c_ssl));
979 /* Write to server. */
981 if (cw_num > (long)sizeof cbuf)
985 r = BIO_write(c_ssl_bio, cbuf, i);
988 if (!BIO_should_retry(c_ssl_bio))
990 fprintf(stderr,"ERROR in CLIENT\n");
993 /* BIO_should_retry(...) can just be ignored here.
994 * The library expects us to call BIO_write with
995 * the same arguments again, and that's what we will
996 * do in the next iteration. */
1000 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1006 printf("client wrote %d\n", r);
1013 /* Read from server. */
1015 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1018 if (!BIO_should_retry(c_ssl_bio))
1020 fprintf(stderr,"ERROR in CLIENT\n");
1023 /* Again, "BIO_should_retry" can be ignored. */
1027 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1033 printf("client read %d\n", r);
1038 /* c_time and s_time increments will typically be very small
1039 * (depending on machine speed and clock tick intervals),
1040 * but sampling over a large number of connections should
1041 * result in fairly accurate figures. We cannot guarantee
1042 * a lot, however -- if each connection lasts for exactly
1043 * one clock tick, it will be counted only for the client
1044 * or only for the server or even not at all.
1046 *c_time += (clock() - c_clock);
1052 MS_STATIC char sbuf[1024*8];
1054 clock_t s_clock = clock();
1056 memset(sbuf, 0, sizeof(sbuf));
1059 if (SSL_in_init(s_ssl))
1060 printf("server waiting in SSL_accept - %s\n",
1061 SSL_state_string_long(s_ssl));
1065 /* Write to client. */
1067 if (sw_num > (long)sizeof sbuf)
1071 r = BIO_write(s_ssl_bio, sbuf, i);
1074 if (!BIO_should_retry(s_ssl_bio))
1076 fprintf(stderr,"ERROR in SERVER\n");
1079 /* Ignore "BIO_should_retry". */
1083 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1089 printf("server wrote %d\n", r);
1096 /* Read from client. */
1098 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1101 if (!BIO_should_retry(s_ssl_bio))
1103 fprintf(stderr,"ERROR in SERVER\n");
1110 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1116 printf("server read %d\n", r);
1121 *s_time += (clock() - s_clock);
1125 /* "I/O" BETWEEN CLIENT AND SERVER. */
1128 BIO *io1 = server_io, *io2 = client_io;
1129 /* we use the non-copying interface for io1
1130 * and the standard BIO_write/BIO_read interface for io2
1133 static int prev_progress = 1;
1142 r1 = BIO_ctrl_pending(io1);
1143 r2 = BIO_ctrl_get_write_guarantee(io2);
1152 if (INT_MAX < num) /* yeah, right */
1155 r = BIO_nread(io1, &dataptr, (int)num);
1157 assert(r <= (int)num);
1158 /* possibly r < num (non-contiguous data) */
1160 r = BIO_write(io2, dataptr, (int)num);
1161 if (r != (int)num) /* can't happen */
1163 fprintf(stderr, "ERROR: BIO_write could not write "
1164 "BIO_ctrl_get_write_guarantee() bytes");
1170 printf((io1 == client_io) ?
1171 "C->S relaying: %d bytes\n" :
1172 "S->C relaying: %d bytes\n",
1183 r1 = BIO_ctrl_pending(io2);
1184 r2 = BIO_ctrl_get_read_request(io1);
1185 /* here we could use ..._get_write_guarantee instead of
1186 * ..._get_read_request, but by using the latter
1187 * we test restartability of the SSL implementation
1188 * more thoroughly */
1200 --num; /* test restartability even more thoroughly */
1202 r = BIO_nwrite0(io1, &dataptr);
1206 r = BIO_read(io2, dataptr, (int)num);
1207 if (r != (int)num) /* can't happen */
1209 fprintf(stderr, "ERROR: BIO_read could not read "
1210 "BIO_ctrl_pending() bytes");
1214 r = BIO_nwrite(io1, &dataptr, (int)num);
1215 if (r != (int)num) /* can't happen */
1217 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1218 "BIO_nwrite0() bytes");
1223 printf((io2 == client_io) ?
1224 "C->S relaying: %d bytes\n" :
1225 "S->C relaying: %d bytes\n",
1228 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1230 if (!progress && !prev_progress)
1231 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1233 fprintf(stderr, "ERROR: got stuck\n");
1234 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1236 fprintf(stderr, "This can happen for SSL2 because "
1237 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1238 "concurrently ...");
1239 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1240 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1242 fprintf(stderr, " ok.\n");
1246 fprintf(stderr, " ERROR.\n");
1249 prev_progress = progress;
1252 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1255 print_details(c_ssl, "DONE via BIO pair: ");
1260 ERR_print_errors(bio_err);
1265 BIO_free(server_io);
1269 BIO_free(client_io);
1271 BIO_free(s_ssl_bio);
1273 BIO_free(c_ssl_bio);
1284 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1286 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1287 long cw_num=count,cr_num=count;
1288 long sw_num=count,sr_num=count;
1294 int c_r,c_w,s_r,s_w;
1298 int c_write,s_write;
1299 int do_server=0,do_client=0;
1301 memset(cbuf,0,sizeof(cbuf));
1302 memset(sbuf,0,sizeof(sbuf));
1304 c_to_s=BIO_new(BIO_s_mem());
1305 s_to_c=BIO_new(BIO_s_mem());
1306 if ((s_to_c == NULL) || (c_to_s == NULL))
1308 ERR_print_errors(bio_err);
1312 c_bio=BIO_new(BIO_f_ssl());
1313 s_bio=BIO_new(BIO_f_ssl());
1314 if ((c_bio == NULL) || (s_bio == NULL))
1316 ERR_print_errors(bio_err);
1320 SSL_set_connect_state(c_ssl);
1321 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1322 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1324 SSL_set_accept_state(s_ssl);
1325 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1326 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1332 c_write=1,s_write=0;
1334 /* We can always do writes */
1340 i=(int)BIO_pending(s_bio);
1341 if ((i && s_r) || s_w) do_server=1;
1343 i=(int)BIO_pending(c_bio);
1344 if ((i && c_r) || c_w) do_client=1;
1346 if (do_server && debug)
1348 if (SSL_in_init(s_ssl))
1349 printf("server waiting in SSL_accept - %s\n",
1350 SSL_state_string_long(s_ssl));
1351 /* else if (s_write)
1352 printf("server:SSL_write()\n");
1354 printf("server:SSL_read()\n"); */
1357 if (do_client && debug)
1359 if (SSL_in_init(c_ssl))
1360 printf("client waiting in SSL_connect - %s\n",
1361 SSL_state_string_long(c_ssl));
1362 /* else if (c_write)
1363 printf("client:SSL_write()\n");
1365 printf("client:SSL_read()\n"); */
1368 if (!do_client && !do_server)
1370 fprintf(stdout,"ERROR IN STARTUP\n");
1371 ERR_print_errors(bio_err);
1374 if (do_client && !(done & C_DONE))
1378 j = (cw_num > (long)sizeof(cbuf)) ?
1379 (int)sizeof(cbuf) : (int)cw_num;
1380 i=BIO_write(c_bio,cbuf,j);
1385 if (BIO_should_retry(c_bio))
1387 if (BIO_should_read(c_bio))
1389 if (BIO_should_write(c_bio))
1394 fprintf(stderr,"ERROR in CLIENT\n");
1395 ERR_print_errors(bio_err);
1401 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1407 printf("client wrote %d\n",i);
1416 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1421 if (BIO_should_retry(c_bio))
1423 if (BIO_should_read(c_bio))
1425 if (BIO_should_write(c_bio))
1430 fprintf(stderr,"ERROR in CLIENT\n");
1431 ERR_print_errors(bio_err);
1437 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1443 printf("client read %d\n",i);
1460 if (do_server && !(done & S_DONE))
1464 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1469 if (BIO_should_retry(s_bio))
1471 if (BIO_should_read(s_bio))
1473 if (BIO_should_write(s_bio))
1478 fprintf(stderr,"ERROR in SERVER\n");
1479 ERR_print_errors(bio_err);
1485 ERR_print_errors(bio_err);
1486 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1492 printf("server read %d\n",i);
1509 j = (sw_num > (long)sizeof(sbuf)) ?
1510 (int)sizeof(sbuf) : (int)sw_num;
1511 i=BIO_write(s_bio,sbuf,j);
1516 if (BIO_should_retry(s_bio))
1518 if (BIO_should_read(s_bio))
1520 if (BIO_should_write(s_bio))
1525 fprintf(stderr,"ERROR in SERVER\n");
1526 ERR_print_errors(bio_err);
1532 ERR_print_errors(bio_err);
1533 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1539 printf("server wrote %d\n",i);
1549 if ((done & S_DONE) && (done & C_DONE)) break;
1553 print_details(c_ssl, "DONE: ");
1556 /* We have to set the BIO's to NULL otherwise they will be
1557 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1558 * again when c_ssl is SSL_free()ed.
1559 * This is a hack required because s_ssl and c_ssl are sharing the same
1560 * BIO structure and SSL_set_bio() and SSL_free() automatically
1561 * BIO_free non NULL entries.
1562 * You should not normally do this or be required to do this */
1574 if (c_to_s != NULL) BIO_free(c_to_s);
1575 if (s_to_c != NULL) BIO_free(s_to_c);
1576 if (c_bio != NULL) BIO_free_all(c_bio);
1577 if (s_bio != NULL) BIO_free_all(s_bio);
1581 static int get_proxy_auth_ex_data_idx(void)
1583 static volatile int idx = -1;
1586 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1589 idx = X509_STORE_CTX_get_ex_new_index(0,
1590 "SSLtest for verify callback", NULL,NULL,NULL);
1592 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1597 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1601 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1606 fprintf(stderr,"depth=%d %s\n",
1607 ctx->error_depth,buf);
1609 fprintf(stderr,"depth=%d error=%d %s\n",
1610 ctx->error_depth,ctx->error,buf);
1617 case X509_V_ERR_CERT_NOT_YET_VALID:
1618 case X509_V_ERR_CERT_HAS_EXPIRED:
1619 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1626 X509 *xs = ctx->current_cert;
1628 X509 *xi = ctx->current_issuer;
1631 if (xs->ex_flags & EXFLAG_PROXY)
1633 unsigned int *letters =
1634 X509_STORE_CTX_get_ex_data(ctx,
1635 get_proxy_auth_ex_data_idx());
1641 PROXY_CERT_INFO_EXTENSION *pci =
1642 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1645 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1647 case NID_Independent:
1648 /* Completely meaningless in this
1649 program, as there's no way to
1650 grant explicit rights to a
1651 specific PrC. Basically, using
1652 id-ppl-Independent is the perfect
1653 way to grant no rights at all. */
1654 fprintf(stderr, " Independent proxy certificate");
1655 for (i = 0; i < 26; i++)
1658 case NID_id_ppl_inheritAll:
1659 /* This is basically a NOP, we
1660 simply let the current rights
1661 stand as they are. */
1662 fprintf(stderr, " Proxy certificate inherits all");
1666 pci->proxyPolicy->policy->data;
1667 i = pci->proxyPolicy->policy->length;
1669 /* The algorithm works as follows:
1670 it is assumed that previous
1671 iterations or the initial granted
1672 rights has already set some elements
1673 of `letters'. What we need to do is
1674 to clear those that weren't granted
1675 by the current PrC as well. The
1676 easiest way to do this is to add 1
1677 to all the elements whose letters
1678 are given with the current policy.
1679 That way, all elements that are set
1680 by the current policy and were
1681 already set by earlier policies and
1682 through the original grant of rights
1683 will get the value 2 or higher.
1684 The last thing to do is to sweep
1685 through `letters' and keep the
1686 elements having the value 2 as set,
1687 and clear all the others. */
1689 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1693 if (isascii(c) && isalpha(c))
1700 for (i = 0; i < 26; i++)
1709 ", resulting proxy rights = ");
1710 for(i = 0; i < 26; i++)
1713 fprintf(stderr, "%c", i + 'A');
1717 fprintf(stderr, "none");
1718 fprintf(stderr, "\n");
1720 PROXY_CERT_INFO_EXTENSION_free(pci);
1728 static void process_proxy_debug(int indent, const char *format, ...)
1730 static const char indentation[] =
1731 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1732 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1733 char my_format[256];
1736 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1737 indent, indent, indentation, format);
1739 va_start(args, format);
1740 vfprintf(stderr, my_format, args);
1748 static int process_proxy_cond_adders(unsigned int letters[26],
1749 const char *cond, const char **cond_end, int *pos, int indent);
1750 static int process_proxy_cond_val(unsigned int letters[26],
1751 const char *cond, const char **cond_end, int *pos, int indent)
1757 while(isspace(*cond))
1764 process_proxy_debug(indent,
1765 "Start process_proxy_cond_val at position %d: %s\n",
1772 while(isspace(*cond))
1782 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1787 while(isspace(*cond))
1795 "Weird condition character in position %d: "
1802 else if (isascii(c) && isalpha(c))
1806 ok = letters[c - 'A'];
1812 "Weird condition character in position %d: "
1819 if (ok >= 0 && negate)
1823 process_proxy_debug(indent,
1824 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1829 static int process_proxy_cond_multipliers(unsigned int letters[26],
1830 const char *cond, const char **cond_end, int *pos, int indent)
1836 process_proxy_debug(indent,
1837 "Start process_proxy_cond_multipliers at position %d: %s\n",
1840 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1847 while(isspace(*cond))
1861 ok = process_proxy_cond_val(letters,
1862 cond, cond_end, pos, indent + 1);
1876 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1888 process_proxy_debug(indent,
1889 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1895 static int process_proxy_cond_adders(unsigned int letters[26],
1896 const char *cond, const char **cond_end, int *pos, int indent)
1902 process_proxy_debug(indent,
1903 "Start process_proxy_cond_adders at position %d: %s\n",
1906 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1914 while(isspace(*cond))
1927 ok = process_proxy_cond_multipliers(letters,
1928 cond, cond_end, pos, indent + 1);
1939 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1951 process_proxy_debug(indent,
1952 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1959 static int process_proxy_cond(unsigned int letters[26],
1960 const char *cond, const char **cond_end)
1963 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1966 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
1969 struct app_verify_arg *cb_arg = arg;
1970 unsigned int letters[26]; /* only used with proxy_auth */
1972 if (cb_arg->app_verify)
1974 char *s = NULL,buf[256];
1976 fprintf(stderr, "In app_verify_callback, allowing cert. ");
1977 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
1978 fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
1979 (unsigned int)ctx, (unsigned int)ctx->cert);
1981 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1984 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
1988 if (cb_arg->proxy_auth)
1990 int found_any = 0, i;
1993 for(i = 0; i < 26; i++)
1995 for(sp = cb_arg->proxy_auth; *sp; sp++)
1998 if (isascii(c) && isalpha(c))
2002 letters[c - 'A'] = 1;
2007 " Initial proxy rights = ");
2008 for(i = 0; i < 26; i++)
2011 fprintf(stderr, "%c", i + 'A');
2015 fprintf(stderr, "none");
2016 fprintf(stderr, "\n");
2018 X509_STORE_CTX_set_ex_data(ctx,
2019 get_proxy_auth_ex_data_idx(),letters);
2022 #ifndef OPENSSL_NO_X509_VERIFY
2023 # ifdef OPENSSL_FIPS
2024 if(s->version == TLS1_VERSION)
2027 ok = X509_verify_cert(ctx);
2028 # ifdef OPENSSL_FIPS
2029 if(s->version == TLS1_VERSION)
2034 if (cb_arg->proxy_auth)
2038 const char *cond_end = NULL;
2040 ok = process_proxy_cond(letters,
2041 cb_arg->proxy_cond, &cond_end);
2047 fprintf(stderr, "Stopped processing condition before it's end.\n");
2051 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2052 cb_arg->proxy_cond);
2054 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2055 cb_arg->proxy_cond);
2061 #ifndef OPENSSL_NO_RSA
2062 static RSA *rsa_tmp=NULL;
2064 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2067 if (rsa_tmp == NULL)
2070 rsa_tmp = RSA_new();
2071 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2073 BIO_printf(bio_err, "Memory error...");
2076 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2077 (void)BIO_flush(bio_err);
2078 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2080 BIO_printf(bio_err, "Error generating key.");
2085 BIO_printf(bio_err,"\n");
2086 (void)BIO_flush(bio_err);
2092 static void free_tmp_rsa(void)
2094 if (rsa_tmp != NULL)
2102 #ifndef OPENSSL_NO_DH
2103 /* These DH parameters have been generated as follows:
2104 * $ openssl dhparam -C -noout 512
2105 * $ openssl dhparam -C -noout 1024
2106 * $ openssl dhparam -C -noout -dsaparam 1024
2107 * (The third function has been renamed to avoid name conflicts.)
2109 static DH *get_dh512()
2111 static unsigned char dh512_p[]={
2112 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2113 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2114 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2115 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2116 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2117 0x02,0xC5,0xAE,0x23,
2119 static unsigned char dh512_g[]={
2124 if ((dh=DH_new()) == NULL) return(NULL);
2125 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2126 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2127 if ((dh->p == NULL) || (dh->g == NULL))
2128 { DH_free(dh); return(NULL); }
2132 static DH *get_dh1024()
2134 static unsigned char dh1024_p[]={
2135 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2136 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2137 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2138 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2139 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2140 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2141 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2142 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2143 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2144 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2145 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2147 static unsigned char dh1024_g[]={
2152 if ((dh=DH_new()) == NULL) return(NULL);
2153 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2154 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2155 if ((dh->p == NULL) || (dh->g == NULL))
2156 { DH_free(dh); return(NULL); }
2160 static DH *get_dh1024dsa()
2162 static unsigned char dh1024_p[]={
2163 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2164 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2165 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2166 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2167 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2168 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2169 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2170 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2171 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2172 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2173 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2175 static unsigned char dh1024_g[]={
2176 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2177 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2178 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2179 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2180 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2181 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2182 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2183 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2184 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2185 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2186 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2190 if ((dh=DH_new()) == NULL) return(NULL);
2191 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2192 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2193 if ((dh->p == NULL) || (dh->g == NULL))
2194 { DH_free(dh); return(NULL); }