1 /* ssl/ssltest.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116 /* ==================================================================== 117 * Copyright 2005 Nokia. All rights reserved. 118 * 119 * The portions of the attached software ("Contribution") is developed by 120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 121 * license. 122 * 123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 125 * support (see RFC 4279) to OpenSSL. 126 * 127 * No patent licenses or other rights except those expressly stated in 128 * the OpenSSL open source license shall be deemed granted or received 129 * expressly, by implication, estoppel, or otherwise. 130 * 131 * No assurances are provided by Nokia that the Contribution does not 132 * infringe the patent or other intellectual property rights of any third 133 * party or that the license provides you with all the necessary rights 134 * to make use of the Contribution. 135 * 136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 140 * OTHERWISE. 141 */ 142 143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly 144 on Linux and GNU platforms. */ 145 #include <sys/types.h> 146 #include <sys/param.h> 147 #include <sys/socket.h> 148 149 #include <netinet/in.h> 150 151 #include <assert.h> 152 #include <errno.h> 153 #include <limits.h> 154 #include <netdb.h> 155 #include <stdio.h> 156 #include <stdlib.h> 157 #include <string.h> 158 #include <time.h> 159 #include <unistd.h> 160 161 #include <ctype.h> 162 163 #include <openssl/opensslconf.h> 164 #include <openssl/e_os2.h> 165 #include <openssl/bio.h> 166 #include <openssl/crypto.h> 167 #include <openssl/evp.h> 168 #include <openssl/x509.h> 169 #include <openssl/x509v3.h> 170 #include <openssl/ssl.h> 171 #ifndef OPENSSL_NO_ENGINE 172 #include <openssl/engine.h> 173 #endif 174 #include <openssl/err.h> 175 #include <openssl/rand.h> 176 #include <openssl/rsa.h> 177 #include <openssl/dsa.h> 178 #ifndef OPENSSL_NO_DH 179 #include <openssl/dh.h> 180 #endif 181 #include <openssl/bn.h> 182 183 #define _XOPEN_SOURCE_EXTENDED 1 184 /* Or gethostname won't be declared properly 185 on Compaq platforms (at least with DEC C). 186 Do not try to put it earlier, or IPv6 includes 187 get screwed... */ 188 189 190 # define TEST_SERVER_CERT "../apps/server.pem" 191 # define TEST_CLIENT_CERT "../apps/client.pem" 192 193 static int verify_callback(int ok, X509_STORE_CTX *ctx); 194 static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); 195 static void free_tmp_rsa(void); 196 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); 197 #define APP_CALLBACK_STRING "Test Callback Argument" 198 struct app_verify_arg { 199 char *string; 200 int app_verify; 201 int allow_proxy_certs; 202 char *proxy_auth; 203 char *proxy_cond; 204 }; 205 206 #ifndef OPENSSL_NO_DH 207 static DH *get_dh512(void); 208 static DH *get_dh1024(void); 209 static DH *get_dh1024dsa(void); 210 #endif 211 212 static BIO *bio_err = NULL; 213 static BIO *bio_stdout = NULL; 214 215 static char *cipher = NULL; 216 static int verbose = 0; 217 static int debug = 0; 218 219 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, clock_t *c_time); 220 int doit(SSL *s_ssl, SSL *c_ssl, long bytes); 221 static int do_test_cipherlist(void); 222 223 static void 224 sv_usage(void) 225 { 226 fprintf(stderr, "usage: ssltest [args ...]\n"); 227 fprintf(stderr, "\n"); 228 fprintf(stderr, " -server_auth - check server certificate\n"); 229 fprintf(stderr, " -client_auth - do client authentication\n"); 230 fprintf(stderr, " -proxy - allow proxy certificates\n"); 231 fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n"); 232 fprintf(stderr, " -proxy_cond <val> - experssion to test proxy policy rights\n"); 233 fprintf(stderr, " -v - more output\n"); 234 fprintf(stderr, " -d - debug output\n"); 235 fprintf(stderr, " -reuse - use session-id reuse\n"); 236 fprintf(stderr, " -num <val> - number of connections to perform\n"); 237 fprintf(stderr, " -bytes <val> - number of bytes to swap between client/server\n"); 238 #ifndef OPENSSL_NO_DH 239 fprintf(stderr, " -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); 240 fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 241 fprintf(stderr, " -no_dhe - disable DHE\n"); 242 #endif 243 #ifndef OPENSSL_NO_ECDH 244 fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); 245 #endif 246 fprintf(stderr, " -dtls1 - use DTLSv1\n"); 247 fprintf(stderr, " -ssl3 - use SSLv3\n"); 248 fprintf(stderr, " -tls1 - use TLSv1\n"); 249 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); 250 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); 251 fprintf(stderr, " -cert arg - Server certificate file\n"); 252 fprintf(stderr, " -key arg - Server key file (default: same as -cert)\n"); 253 fprintf(stderr, " -c_cert arg - Client certificate file\n"); 254 fprintf(stderr, " -c_key arg - Client key file (default: same as -c_cert)\n"); 255 fprintf(stderr, " -cipher arg - The cipher list\n"); 256 fprintf(stderr, " -bio_pair - Use BIO pairs\n"); 257 fprintf(stderr, " -f - Test even cases that can't work\n"); 258 fprintf(stderr, " -time - measure processor time used by client and server\n"); 259 #ifndef OPENSSL_NO_ECDH 260 fprintf(stderr, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 261 " Use \"openssl ecparam -list_curves\" for all names\n" \ 262 " (default is sect163r2).\n"); 263 #endif 264 fprintf(stderr, " -test_cipherlist - verifies the order of the ssl cipher lists\n"); 265 } 266 267 static void 268 print_details(SSL *c_ssl, const char *prefix) 269 { 270 const SSL_CIPHER *ciph; 271 X509 *cert; 272 273 ciph = SSL_get_current_cipher(c_ssl); 274 BIO_printf(bio_stdout, "%s%s, cipher %s %s", 275 prefix, 276 SSL_get_version(c_ssl), 277 SSL_CIPHER_get_version(ciph), 278 SSL_CIPHER_get_name(ciph)); 279 cert = SSL_get_peer_certificate(c_ssl); 280 if (cert != NULL) { 281 EVP_PKEY *pkey = X509_get_pubkey(cert); 282 if (pkey != NULL) { 283 if (pkey->type == EVP_PKEY_RSA && 284 pkey->pkey.rsa != NULL && 285 pkey->pkey.rsa->n != NULL) { 286 BIO_printf(bio_stdout, ", %d bit RSA", 287 BN_num_bits(pkey->pkey.rsa->n)); 288 } 289 else if (pkey->type == EVP_PKEY_DSA && 290 pkey->pkey.dsa != NULL && 291 pkey->pkey.dsa->p != NULL) { 292 BIO_printf(bio_stdout, ", %d bit DSA", 293 BN_num_bits(pkey->pkey.dsa->p)); 294 } 295 EVP_PKEY_free(pkey); 296 } 297 X509_free(cert); 298 } 299 /* The SSL API does not allow us to look at temporary RSA/DH keys, 300 * otherwise we should print their lengths too */ 301 BIO_printf(bio_stdout, "\n"); 302 } 303 304 static void 305 lock_dbg_cb(int mode, int type, const char *file, int line) 306 { 307 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ 308 const char *errstr = NULL; 309 int rw; 310 311 rw = mode & (CRYPTO_READ|CRYPTO_WRITE); 312 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) { 313 errstr = "invalid mode"; 314 goto err; 315 } 316 317 if (type < 0 || type >= CRYPTO_NUM_LOCKS) { 318 errstr = "type out of bounds"; 319 goto err; 320 } 321 322 if (mode & CRYPTO_LOCK) { 323 if (modes[type]) { 324 errstr = "already locked"; 325 /* must not happen in a single-threaded program 326 * (would deadlock) */ 327 goto err; 328 } 329 330 modes[type] = rw; 331 } else if (mode & CRYPTO_UNLOCK) { 332 if (!modes[type]) { 333 errstr = "not locked"; 334 goto err; 335 } 336 337 if (modes[type] != rw) { 338 errstr = (rw == CRYPTO_READ) ? 339 "CRYPTO_r_unlock on write lock" : 340 "CRYPTO_w_unlock on read lock"; 341 } 342 343 modes[type] = 0; 344 } else { 345 errstr = "invalid mode"; 346 goto err; 347 } 348 349 err: 350 if (errstr) { 351 /* we cannot use bio_err here */ 352 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", 353 errstr, mode, type, file, line); 354 } 355 } 356 357 int 358 main(int argc, char *argv[]) 359 { 360 char *CApath = NULL, *CAfile = NULL; 361 int badop = 0; 362 int bio_pair = 0; 363 int force = 0; 364 int tls1 = 0, ssl2 = 0, ssl3 = 0, dtls1 = 0, ret = 1; 365 int client_auth = 0; 366 int server_auth = 0, i; 367 struct app_verify_arg app_verify_arg = 368 { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; 369 char *server_cert = TEST_SERVER_CERT; 370 char *server_key = NULL; 371 char *client_cert = TEST_CLIENT_CERT; 372 char *client_key = NULL; 373 #ifndef OPENSSL_NO_ECDH 374 char *named_curve = NULL; 375 #endif 376 SSL_CTX *s_ctx = NULL; 377 SSL_CTX *c_ctx = NULL; 378 const SSL_METHOD *meth = NULL; 379 SSL *c_ssl, *s_ssl; 380 int number = 1, reuse = 0; 381 long bytes = 256L; 382 #ifndef OPENSSL_NO_DH 383 DH *dh; 384 int dhe1024 = 0, dhe1024dsa = 0; 385 #endif 386 #ifndef OPENSSL_NO_ECDH 387 EC_KEY *ecdh = NULL; 388 #endif 389 int no_dhe = 0; 390 int no_ecdhe = 0; 391 int print_time = 0; 392 clock_t s_time = 0, c_time = 0; 393 int test_cipherlist = 0; 394 395 verbose = 0; 396 debug = 0; 397 cipher = 0; 398 399 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE|BIO_FP_TEXT); 400 401 402 CRYPTO_set_locking_callback(lock_dbg_cb); 403 404 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE|BIO_FP_TEXT); 405 406 argc--; 407 argv++; 408 409 while (argc >= 1) { 410 if (!strcmp(*argv, "-F")) { 411 fprintf(stderr, "not compiled with FIPS support, so exitting without running.\n"); 412 exit(0); 413 } else if (strcmp(*argv, "-server_auth") == 0) 414 server_auth = 1; 415 else if (strcmp(*argv, "-client_auth") == 0) 416 client_auth = 1; 417 else if (strcmp(*argv, "-proxy_auth") == 0) { 418 if (--argc < 1) 419 goto bad; 420 app_verify_arg.proxy_auth= *(++argv); 421 } else if (strcmp(*argv, "-proxy_cond") == 0) { 422 if (--argc < 1) 423 goto bad; 424 app_verify_arg.proxy_cond= *(++argv); 425 } else if (strcmp(*argv, "-v") == 0) 426 verbose = 1; 427 else if (strcmp(*argv, "-d") == 0) 428 debug = 1; 429 else if (strcmp(*argv, "-reuse") == 0) 430 reuse = 1; 431 else if (strcmp(*argv, "-dhe1024") == 0) { 432 #ifndef OPENSSL_NO_DH 433 dhe1024 = 1; 434 #else 435 fprintf(stderr, "ignoring -dhe1024, since I'm compiled without DH\n"); 436 #endif 437 } else if (strcmp(*argv, "-dhe1024dsa") == 0) { 438 #ifndef OPENSSL_NO_DH 439 dhe1024dsa = 1; 440 #else 441 fprintf(stderr, "ignoring -dhe1024, since I'm compiled without DH\n"); 442 #endif 443 } else if (strcmp(*argv, "-no_dhe") == 0) 444 no_dhe = 1; 445 else if (strcmp(*argv, "-no_ecdhe") == 0) 446 no_ecdhe = 1; 447 else if (strcmp(*argv, "-dtls1") == 0) 448 dtls1 = 1; 449 else if (strcmp(*argv, "-ssl2") == 0) 450 ssl2 = 1; 451 else if (strcmp(*argv, "-ssl3") == 0) 452 ssl3 = 1; 453 else if (strcmp(*argv, "-tls1") == 0) 454 tls1 = 1; 455 else if (strncmp(*argv, "-num", 4) == 0) { 456 if (--argc < 1) 457 goto bad; 458 number = atoi(*(++argv)); 459 if (number == 0) 460 number = 1; 461 } else if (strcmp(*argv, "-bytes") == 0) { 462 if (--argc < 1) 463 goto bad; 464 bytes = atol(*(++argv)); 465 if (bytes == 0L) 466 bytes = 1L; 467 i = strlen(argv[0]); 468 if (argv[0][i - 1] == 'k') 469 bytes*=1024L; 470 if (argv[0][i - 1] == 'm') 471 bytes*=1024L*1024L; 472 } else if (strcmp(*argv, "-cert") == 0) { 473 if (--argc < 1) 474 goto bad; 475 server_cert= *(++argv); 476 } else if (strcmp(*argv, "-s_cert") == 0) { 477 if (--argc < 1) 478 goto bad; 479 server_cert= *(++argv); 480 } else if (strcmp(*argv, "-key") == 0) { 481 if (--argc < 1) 482 goto bad; 483 server_key= *(++argv); 484 } else if (strcmp(*argv, "-s_key") == 0) { 485 if (--argc < 1) 486 goto bad; 487 server_key= *(++argv); 488 } else if (strcmp(*argv, "-c_cert") == 0) { 489 if (--argc < 1) 490 goto bad; 491 client_cert= *(++argv); 492 } else if (strcmp(*argv, "-c_key") == 0) { 493 if (--argc < 1) 494 goto bad; 495 client_key= *(++argv); 496 } else if (strcmp(*argv, "-cipher") == 0) { 497 if (--argc < 1) 498 goto bad; 499 cipher= *(++argv); 500 } else if (strcmp(*argv, "-CApath") == 0) { 501 if (--argc < 1) 502 goto bad; 503 CApath= *(++argv); 504 } else if (strcmp(*argv, "-CAfile") == 0) { 505 if (--argc < 1) 506 goto bad; 507 CAfile= *(++argv); 508 } else if (strcmp(*argv, "-bio_pair") == 0) { 509 bio_pair = 1; 510 } else if (strcmp(*argv, "-f") == 0) { 511 force = 1; 512 } else if (strcmp(*argv, "-time") == 0) { 513 print_time = 1; 514 } else if (strcmp(*argv, "-named_curve") == 0) { 515 if (--argc < 1) 516 goto bad; 517 #ifndef OPENSSL_NO_ECDH 518 named_curve = *(++argv); 519 #else 520 fprintf(stderr, "ignoring -named_curve, since I'm compiled without ECDH\n"); 521 ++argv; 522 #endif 523 } else if (strcmp(*argv, "-app_verify") == 0) { 524 app_verify_arg.app_verify = 1; 525 } else if (strcmp(*argv, "-proxy") == 0) { 526 app_verify_arg.allow_proxy_certs = 1; 527 } else if (strcmp(*argv, "-test_cipherlist") == 0) { 528 test_cipherlist = 1; 529 } else { 530 fprintf(stderr, "unknown option %s\n", *argv); 531 badop = 1; 532 break; 533 } 534 argc--; 535 argv++; 536 } 537 if (badop) { 538 bad: 539 sv_usage(); 540 goto end; 541 } 542 543 if (test_cipherlist == 1) { 544 /* ensure that the cipher list are correctly sorted and exit */ 545 if (do_test_cipherlist() == 0) 546 exit(1); 547 ret = 0; 548 goto end; 549 } 550 551 if (!dtls1 && !ssl2 && !ssl3 && !tls1 && 552 number > 1 && !reuse && !force) { 553 fprintf(stderr, 554 "This case cannot work. Use -f to perform " 555 "the test anyway (and\n-d to see what happens), " 556 "or add one of -dtls1, -ssl2, -ssl3, -tls1, -reuse\n" 557 "to avoid protocol mismatch.\n"); 558 exit(1); 559 } 560 561 if (print_time) { 562 if (!bio_pair) { 563 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 564 bio_pair = 1; 565 } 566 if (number < 50 && !force) 567 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 568 } 569 570 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ 571 572 SSL_library_init(); 573 SSL_load_error_strings(); 574 575 576 if (dtls1) 577 meth = DTLSv1_method(); 578 else if (tls1) 579 meth = TLSv1_method(); 580 else if (ssl3) 581 meth = SSLv3_method(); 582 else 583 meth = SSLv23_method(); 584 585 c_ctx = SSL_CTX_new(meth); 586 s_ctx = SSL_CTX_new(meth); 587 if ((c_ctx == NULL) || (s_ctx == NULL)) { 588 ERR_print_errors(bio_err); 589 goto end; 590 } 591 592 if (cipher != NULL) { 593 SSL_CTX_set_cipher_list(c_ctx, cipher); 594 SSL_CTX_set_cipher_list(s_ctx, cipher); 595 } 596 597 #ifndef OPENSSL_NO_DH 598 if (!no_dhe) { 599 if (dhe1024dsa) { 600 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ 601 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 602 dh = get_dh1024dsa(); 603 } else if (dhe1024) 604 dh = get_dh1024(); 605 else 606 dh = get_dh512(); 607 SSL_CTX_set_tmp_dh(s_ctx, dh); 608 DH_free(dh); 609 } 610 #else 611 (void)no_dhe; 612 #endif 613 614 #ifndef OPENSSL_NO_ECDH 615 if (!no_ecdhe) { 616 int nid; 617 618 if (named_curve != NULL) { 619 nid = OBJ_sn2nid(named_curve); 620 if (nid == 0) { 621 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); 622 goto end; 623 } 624 } else 625 #ifdef OPENSSL_NO_EC2M 626 nid = NID_X9_62_prime256v1; 627 #else 628 nid = NID_sect163r2; 629 #endif 630 631 ecdh = EC_KEY_new_by_curve_name(nid); 632 if (ecdh == NULL) { 633 BIO_printf(bio_err, "unable to create curve\n"); 634 goto end; 635 } 636 637 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); 638 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); 639 EC_KEY_free(ecdh); 640 } 641 #else 642 (void)no_ecdhe; 643 #endif 644 645 SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); 646 647 if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { 648 ERR_print_errors(bio_err); 649 } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, 650 (server_key ? server_key : server_cert), SSL_FILETYPE_PEM)) { 651 ERR_print_errors(bio_err); 652 goto end; 653 } 654 655 if (client_auth) { 656 SSL_CTX_use_certificate_file(c_ctx, client_cert, 657 SSL_FILETYPE_PEM); 658 SSL_CTX_use_PrivateKey_file(c_ctx, 659 (client_key ? client_key : client_cert), 660 SSL_FILETYPE_PEM); 661 } 662 663 if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || 664 (!SSL_CTX_set_default_verify_paths(s_ctx)) || 665 (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || 666 (!SSL_CTX_set_default_verify_paths(c_ctx))) { 667 /* fprintf(stderr,"SSL_load_verify_locations\n"); */ 668 ERR_print_errors(bio_err); 669 /* goto end; */ 670 } 671 672 if (client_auth) { 673 BIO_printf(bio_err, "client authentication\n"); 674 SSL_CTX_set_verify(s_ctx, 675 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 676 verify_callback); 677 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); 678 } 679 if (server_auth) { 680 BIO_printf(bio_err, "server authentication\n"); 681 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, 682 verify_callback); 683 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); 684 } 685 686 { 687 int session_id_context = 0; 688 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); 689 } 690 691 c_ssl = SSL_new(c_ctx); 692 s_ssl = SSL_new(s_ctx); 693 694 for (i = 0; i < number; i++) { 695 if (!reuse) 696 SSL_set_session(c_ssl, NULL); 697 if (bio_pair) 698 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time); 699 else 700 ret = doit(s_ssl, c_ssl, bytes); 701 } 702 703 if (!verbose) { 704 print_details(c_ssl, ""); 705 } 706 if ((number > 1) || (bytes > 1L)) 707 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", number, bytes); 708 if (print_time) { 709 #ifdef CLOCKS_PER_SEC 710 /* "To determine the time in seconds, the value returned 711 * by the clock function should be divided by the value 712 * of the macro CLOCKS_PER_SEC." 713 * -- ISO/IEC 9899 */ 714 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 715 "Approximate total client time: %6.2f s\n", 716 (double)s_time/CLOCKS_PER_SEC, 717 (double)c_time/CLOCKS_PER_SEC); 718 #else 719 /* "`CLOCKS_PER_SEC' undeclared (first use this function)" 720 * -- cc on NeXTstep/OpenStep */ 721 BIO_printf(bio_stdout, 722 "Approximate total server time: %6.2f units\n" 723 "Approximate total client time: %6.2f units\n", 724 (double)s_time, 725 (double)c_time); 726 #endif 727 } 728 729 SSL_free(s_ssl); 730 SSL_free(c_ssl); 731 732 end: 733 if (s_ctx != NULL) 734 SSL_CTX_free(s_ctx); 735 if (c_ctx != NULL) 736 SSL_CTX_free(c_ctx); 737 738 if (bio_stdout != NULL) 739 BIO_free(bio_stdout); 740 741 free_tmp_rsa(); 742 #ifndef OPENSSL_NO_ENGINE 743 ENGINE_cleanup(); 744 #endif 745 CRYPTO_cleanup_all_ex_data(); 746 ERR_free_strings(); 747 ERR_remove_thread_state(NULL); 748 EVP_cleanup(); 749 CRYPTO_mem_leaks(bio_err); 750 if (bio_err != NULL) 751 BIO_free(bio_err); 752 exit(ret); 753 return ret; 754 } 755 756 int 757 doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, clock_t *s_time, 758 clock_t *c_time) 759 { 760 long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 761 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 762 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 763 int ret = 1; 764 765 size_t bufsiz = 256; /* small buffer for testing */ 766 767 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 768 goto err; 769 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 770 goto err; 771 772 s_ssl_bio = BIO_new(BIO_f_ssl()); 773 if (!s_ssl_bio) 774 goto err; 775 776 c_ssl_bio = BIO_new(BIO_f_ssl()); 777 if (!c_ssl_bio) 778 goto err; 779 780 SSL_set_connect_state(c_ssl); 781 SSL_set_bio(c_ssl, client, client); 782 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 783 784 SSL_set_accept_state(s_ssl); 785 SSL_set_bio(s_ssl, server, server); 786 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 787 788 do { 789 /* c_ssl_bio: SSL filter BIO 790 * 791 * client: pseudo-I/O for SSL library 792 * 793 * client_io: client's SSL communication; usually to be 794 * relayed over some I/O facility, but in this 795 * test program, we're the server, too: 796 * 797 * server_io: server's SSL communication 798 * 799 * server: pseudo-I/O for SSL library 800 * 801 * s_ssl_bio: SSL filter BIO 802 * 803 * The client and the server each employ a "BIO pair": 804 * client + client_io, server + server_io. 805 * BIO pairs are symmetric. A BIO pair behaves similar 806 * to a non-blocking socketpair (but both endpoints must 807 * be handled by the same thread). 808 * [Here we could connect client and server to the ends 809 * of a single BIO pair, but then this code would be less 810 * suitable as an example for BIO pairs in general.] 811 * 812 * Useful functions for querying the state of BIO pair endpoints: 813 * 814 * BIO_ctrl_pending(bio) number of bytes we can read now 815 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil 816 * other side's read attempt 817 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 818 * 819 * ..._read_request is never more than ..._write_guarantee; 820 * it depends on the application which one you should use. 821 */ 822 823 /* We have non-blocking behaviour throughout this test program, but 824 * can be sure that there is *some* progress in each iteration; so 825 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE 826 * -- we just try everything in each iteration 827 */ 828 829 { 830 /* CLIENT */ 831 832 char cbuf[1024*8]; 833 int i, r; 834 clock_t c_clock = clock(); 835 836 memset(cbuf, 0, sizeof(cbuf)); 837 838 if (debug) 839 if (SSL_in_init(c_ssl)) 840 printf("client waiting in SSL_connect - %s\n", 841 SSL_state_string_long(c_ssl)); 842 843 if (cw_num > 0) { 844 /* Write to server. */ 845 846 if (cw_num > (long)sizeof cbuf) 847 i = sizeof cbuf; 848 else 849 i = (int)cw_num; 850 r = BIO_write(c_ssl_bio, cbuf, i); 851 if (r < 0) { 852 if (!BIO_should_retry(c_ssl_bio)) { 853 fprintf(stderr, "ERROR in CLIENT\n"); 854 goto err; 855 } 856 /* BIO_should_retry(...) can just be ignored here. 857 * The library expects us to call BIO_write with 858 * the same arguments again, and that's what we will 859 * do in the next iteration. */ 860 } else if (r == 0) { 861 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 862 goto err; 863 } else { 864 if (debug) 865 printf("client wrote %d\n", r); 866 cw_num -= r; 867 868 } 869 } 870 871 if (cr_num > 0) { 872 /* Read from server. */ 873 874 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 875 if (r < 0) { 876 if (!BIO_should_retry(c_ssl_bio)) { 877 fprintf(stderr, "ERROR in CLIENT\n"); 878 goto err; 879 } 880 /* Again, "BIO_should_retry" can be ignored. */ 881 } else if (r == 0) { 882 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 883 goto err; 884 } else { 885 if (debug) 886 printf("client read %d\n", r); 887 cr_num -= r; 888 } 889 } 890 891 /* c_time and s_time increments will typically be very small 892 * (depending on machine speed and clock tick intervals), 893 * but sampling over a large number of connections should 894 * result in fairly accurate figures. We cannot guarantee 895 * a lot, however -- if each connection lasts for exactly 896 * one clock tick, it will be counted only for the client 897 * or only for the server or even not at all. 898 */ 899 *c_time += (clock() - c_clock); 900 } 901 902 { 903 /* SERVER */ 904 905 char sbuf[1024*8]; 906 int i, r; 907 clock_t s_clock = clock(); 908 909 memset(sbuf, 0, sizeof(sbuf)); 910 911 if (debug) 912 if (SSL_in_init(s_ssl)) 913 printf("server waiting in SSL_accept - %s\n", 914 SSL_state_string_long(s_ssl)); 915 916 if (sw_num > 0) { 917 /* Write to client. */ 918 919 if (sw_num > (long)sizeof sbuf) 920 i = sizeof sbuf; 921 else 922 i = (int)sw_num; 923 r = BIO_write(s_ssl_bio, sbuf, i); 924 if (r < 0) { 925 if (!BIO_should_retry(s_ssl_bio)) { 926 fprintf(stderr, "ERROR in SERVER\n"); 927 goto err; 928 } 929 /* Ignore "BIO_should_retry". */ 930 } else if (r == 0) { 931 fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 932 goto err; 933 } else { 934 if (debug) 935 printf("server wrote %d\n", r); 936 sw_num -= r; 937 938 } 939 } 940 941 if (sr_num > 0) { 942 /* Read from client. */ 943 944 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 945 if (r < 0) { 946 if (!BIO_should_retry(s_ssl_bio)) { 947 fprintf(stderr, "ERROR in SERVER\n"); 948 goto err; 949 } 950 /* blah, blah */ 951 } else if (r == 0) { 952 fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 953 goto err; 954 } else { 955 if (debug) 956 printf("server read %d\n", r); 957 sr_num -= r; 958 } 959 } 960 961 *s_time += (clock() - s_clock); 962 } 963 964 { 965 /* "I/O" BETWEEN CLIENT AND SERVER. */ 966 967 size_t r1, r2; 968 BIO *io1 = server_io, *io2 = client_io; 969 /* we use the non-copying interface for io1 970 * and the standard BIO_write/BIO_read interface for io2 971 */ 972 973 static int prev_progress = 1; 974 int progress = 0; 975 976 /* io1 to io2 */ 977 do 978 { 979 size_t num; 980 int r; 981 982 r1 = BIO_ctrl_pending(io1); 983 r2 = BIO_ctrl_get_write_guarantee(io2); 984 985 num = r1; 986 if (r2 < num) 987 num = r2; 988 if (num) { 989 char *dataptr; 990 991 if (INT_MAX < num) /* yeah, right */ 992 num = INT_MAX; 993 994 r = BIO_nread(io1, &dataptr, (int)num); 995 assert(r > 0); 996 assert(r <= (int)num); 997 /* possibly r < num (non-contiguous data) */ 998 num = r; 999 r = BIO_write(io2, dataptr, (int)num); 1000 if (r != (int)num) /* can't happen */ 1001 { 1002 fprintf(stderr, "ERROR: BIO_write could not write " 1003 "BIO_ctrl_get_write_guarantee() bytes"); 1004 goto err; 1005 } 1006 progress = 1; 1007 1008 if (debug) 1009 printf((io1 == client_io) ? 1010 "C->S relaying: %d bytes\n" : 1011 "S->C relaying: %d bytes\n", 1012 (int)num); 1013 } 1014 } while (r1 && r2); 1015 1016 /* io2 to io1 */ 1017 { 1018 size_t num; 1019 int r; 1020 1021 r1 = BIO_ctrl_pending(io2); 1022 r2 = BIO_ctrl_get_read_request(io1); 1023 /* here we could use ..._get_write_guarantee instead of 1024 * ..._get_read_request, but by using the latter 1025 * we test restartability of the SSL implementation 1026 * more thoroughly */ 1027 num = r1; 1028 if (r2 < num) 1029 num = r2; 1030 if (num) { 1031 char *dataptr; 1032 1033 if (INT_MAX < num) 1034 num = INT_MAX; 1035 1036 if (num > 1) 1037 --num; /* test restartability even more thoroughly */ 1038 1039 r = BIO_nwrite0(io1, &dataptr); 1040 assert(r > 0); 1041 if (r < (int)num) 1042 num = r; 1043 r = BIO_read(io2, dataptr, (int)num); 1044 if (r != (int)num) /* can't happen */ 1045 { 1046 fprintf(stderr, "ERROR: BIO_read could not read " 1047 "BIO_ctrl_pending() bytes"); 1048 goto err; 1049 } 1050 progress = 1; 1051 r = BIO_nwrite(io1, &dataptr, (int)num); 1052 if (r != (int)num) /* can't happen */ 1053 { 1054 fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 1055 "BIO_nwrite0() bytes"); 1056 goto err; 1057 } 1058 1059 if (debug) 1060 printf((io2 == client_io) ? 1061 "C->S relaying: %d bytes\n" : 1062 "S->C relaying: %d bytes\n", 1063 (int)num); 1064 } 1065 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ 1066 1067 if (!progress && !prev_progress) 1068 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) { 1069 fprintf(stderr, "ERROR: got stuck\n"); 1070 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) { 1071 fprintf(stderr, "This can happen for SSL2 because " 1072 "CLIENT-FINISHED and SERVER-VERIFY are written \n" 1073 "concurrently ..."); 1074 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 1075 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) { 1076 fprintf(stderr, " ok.\n"); 1077 goto end; 1078 } 1079 } 1080 fprintf(stderr, " ERROR.\n"); 1081 goto err; 1082 } 1083 prev_progress = progress; 1084 } 1085 } while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 1086 1087 if (verbose) 1088 print_details(c_ssl, "DONE via BIO pair: "); 1089 end: 1090 ret = 0; 1091 1092 err: 1093 ERR_print_errors(bio_err); 1094 1095 if (server) 1096 BIO_free(server); 1097 if (server_io) 1098 BIO_free(server_io); 1099 if (client) 1100 BIO_free(client); 1101 if (client_io) 1102 BIO_free(client_io); 1103 if (s_ssl_bio) 1104 BIO_free(s_ssl_bio); 1105 if (c_ssl_bio) 1106 BIO_free(c_ssl_bio); 1107 1108 return ret; 1109 } 1110 1111 1112 #define W_READ 1 1113 #define W_WRITE 2 1114 #define C_DONE 1 1115 #define S_DONE 2 1116 1117 int 1118 doit(SSL *s_ssl, SSL *c_ssl, long count) 1119 { 1120 char cbuf[1024*8], sbuf[1024*8]; 1121 long cw_num = count, cr_num = count; 1122 long sw_num = count, sr_num = count; 1123 int ret = 1; 1124 BIO *c_to_s = NULL; 1125 BIO *s_to_c = NULL; 1126 BIO *c_bio = NULL; 1127 BIO *s_bio = NULL; 1128 int c_r, c_w, s_r, s_w; 1129 int i, j; 1130 int done = 0; 1131 int c_write, s_write; 1132 int do_server = 0, do_client = 0; 1133 1134 memset(cbuf, 0, sizeof(cbuf)); 1135 memset(sbuf, 0, sizeof(sbuf)); 1136 1137 c_to_s = BIO_new(BIO_s_mem()); 1138 s_to_c = BIO_new(BIO_s_mem()); 1139 if ((s_to_c == NULL) || (c_to_s == NULL)) { 1140 ERR_print_errors(bio_err); 1141 goto err; 1142 } 1143 1144 c_bio = BIO_new(BIO_f_ssl()); 1145 s_bio = BIO_new(BIO_f_ssl()); 1146 if ((c_bio == NULL) || (s_bio == NULL)) { 1147 ERR_print_errors(bio_err); 1148 goto err; 1149 } 1150 1151 SSL_set_connect_state(c_ssl); 1152 SSL_set_bio(c_ssl, s_to_c, c_to_s); 1153 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); 1154 1155 SSL_set_accept_state(s_ssl); 1156 SSL_set_bio(s_ssl, c_to_s, s_to_c); 1157 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); 1158 1159 c_r = 0; 1160 s_r = 1; 1161 c_w = 1; 1162 s_w = 0; 1163 c_write = 1, s_write = 0; 1164 1165 /* We can always do writes */ 1166 for (;;) { 1167 do_server = 0; 1168 do_client = 0; 1169 1170 i = (int)BIO_pending(s_bio); 1171 if ((i && s_r) || s_w) 1172 do_server = 1; 1173 1174 i = (int)BIO_pending(c_bio); 1175 if ((i && c_r) || c_w) 1176 do_client = 1; 1177 1178 if (do_server && debug) { 1179 if (SSL_in_init(s_ssl)) 1180 printf("server waiting in SSL_accept - %s\n", 1181 SSL_state_string_long(s_ssl)); 1182 /* else if (s_write) 1183 printf("server:SSL_write()\n"); 1184 else 1185 printf("server:SSL_read()\n"); */ 1186 } 1187 1188 if (do_client && debug) { 1189 if (SSL_in_init(c_ssl)) 1190 printf("client waiting in SSL_connect - %s\n", 1191 SSL_state_string_long(c_ssl)); 1192 /* else if (c_write) 1193 printf("client:SSL_write()\n"); 1194 else 1195 printf("client:SSL_read()\n"); */ 1196 } 1197 1198 if (!do_client && !do_server) { 1199 fprintf(stdout, "ERROR IN STARTUP\n"); 1200 ERR_print_errors(bio_err); 1201 break; 1202 } 1203 if (do_client && !(done & C_DONE)) { 1204 if (c_write) { 1205 j = (cw_num > (long)sizeof(cbuf)) ? 1206 (int)sizeof(cbuf) : (int)cw_num; 1207 i = BIO_write(c_bio, cbuf, j); 1208 if (i < 0) { 1209 c_r = 0; 1210 c_w = 0; 1211 if (BIO_should_retry(c_bio)) { 1212 if (BIO_should_read(c_bio)) 1213 c_r = 1; 1214 if (BIO_should_write(c_bio)) 1215 c_w = 1; 1216 } else { 1217 fprintf(stderr, "ERROR in CLIENT\n"); 1218 ERR_print_errors(bio_err); 1219 goto err; 1220 } 1221 } else if (i == 0) { 1222 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 1223 goto err; 1224 } else { 1225 if (debug) 1226 printf("client wrote %d\n", i); 1227 /* ok */ 1228 s_r = 1; 1229 c_write = 0; 1230 cw_num -= i; 1231 } 1232 } else { 1233 i = BIO_read(c_bio, cbuf, sizeof(cbuf)); 1234 if (i < 0) { 1235 c_r = 0; 1236 c_w = 0; 1237 if (BIO_should_retry(c_bio)) { 1238 if (BIO_should_read(c_bio)) 1239 c_r = 1; 1240 if (BIO_should_write(c_bio)) 1241 c_w = 1; 1242 } else { 1243 fprintf(stderr, "ERROR in CLIENT\n"); 1244 ERR_print_errors(bio_err); 1245 goto err; 1246 } 1247 } else if (i == 0) { 1248 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 1249 goto err; 1250 } else { 1251 if (debug) 1252 printf("client read %d\n", i); 1253 cr_num -= i; 1254 if (sw_num > 0) { 1255 s_write = 1; 1256 s_w = 1; 1257 } 1258 if (cr_num <= 0) { 1259 s_write = 1; 1260 s_w = 1; 1261 done = S_DONE|C_DONE; 1262 } 1263 } 1264 } 1265 } 1266 1267 if (do_server && !(done & S_DONE)) { 1268 if (!s_write) { 1269 i = BIO_read(s_bio, sbuf, sizeof(cbuf)); 1270 if (i < 0) { 1271 s_r = 0; 1272 s_w = 0; 1273 if (BIO_should_retry(s_bio)) { 1274 if (BIO_should_read(s_bio)) 1275 s_r = 1; 1276 if (BIO_should_write(s_bio)) 1277 s_w = 1; 1278 } else { 1279 fprintf(stderr, "ERROR in SERVER\n"); 1280 ERR_print_errors(bio_err); 1281 goto err; 1282 } 1283 } else if (i == 0) { 1284 ERR_print_errors(bio_err); 1285 fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_read\n"); 1286 goto err; 1287 } else { 1288 if (debug) 1289 printf("server read %d\n", i); 1290 sr_num -= i; 1291 if (cw_num > 0) { 1292 c_write = 1; 1293 c_w = 1; 1294 } 1295 if (sr_num <= 0) { 1296 s_write = 1; 1297 s_w = 1; 1298 c_write = 0; 1299 } 1300 } 1301 } else { 1302 j = (sw_num > (long)sizeof(sbuf)) ? 1303 (int)sizeof(sbuf) : (int)sw_num; 1304 i = BIO_write(s_bio, sbuf, j); 1305 if (i < 0) { 1306 s_r = 0; 1307 s_w = 0; 1308 if (BIO_should_retry(s_bio)) { 1309 if (BIO_should_read(s_bio)) 1310 s_r = 1; 1311 if (BIO_should_write(s_bio)) 1312 s_w = 1; 1313 } else { 1314 fprintf(stderr, "ERROR in SERVER\n"); 1315 ERR_print_errors(bio_err); 1316 goto err; 1317 } 1318 } else if (i == 0) { 1319 ERR_print_errors(bio_err); 1320 fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_write\n"); 1321 goto err; 1322 } else { 1323 if (debug) 1324 printf("server wrote %d\n", i); 1325 sw_num -= i; 1326 s_write = 0; 1327 c_r = 1; 1328 if (sw_num <= 0) 1329 done|=S_DONE; 1330 } 1331 } 1332 } 1333 1334 if ((done & S_DONE) 1335 && (done & C_DONE)) break; 1336 } 1337 1338 if (verbose) 1339 print_details(c_ssl, "DONE: "); 1340 ret = 0; 1341 err: 1342 /* We have to set the BIO's to NULL otherwise they will be 1343 * free()ed twice. Once when th s_ssl is SSL_free()ed and 1344 * again when c_ssl is SSL_free()ed. 1345 * This is a hack required because s_ssl and c_ssl are sharing the same 1346 * BIO structure and SSL_set_bio() and SSL_free() automatically 1347 * BIO_free non NULL entries. 1348 * You should not normally do this or be required to do this */ 1349 if (s_ssl != NULL) { 1350 s_ssl->rbio = NULL; 1351 s_ssl->wbio = NULL; 1352 } 1353 if (c_ssl != NULL) { 1354 c_ssl->rbio = NULL; 1355 c_ssl->wbio = NULL; 1356 } 1357 1358 if (c_to_s != NULL) 1359 BIO_free(c_to_s); 1360 if (s_to_c != NULL) 1361 BIO_free(s_to_c); 1362 if (c_bio != NULL) 1363 BIO_free_all(c_bio); 1364 if (s_bio != NULL) 1365 BIO_free_all(s_bio); 1366 return (ret); 1367 } 1368 1369 static int 1370 get_proxy_auth_ex_data_idx(void) 1371 { 1372 static volatile int idx = -1; 1373 if (idx < 0) { 1374 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 1375 if (idx < 0) { 1376 idx = X509_STORE_CTX_get_ex_new_index(0, 1377 "SSLtest for verify callback", NULL, NULL, NULL); 1378 } 1379 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 1380 } 1381 return idx; 1382 } 1383 1384 static int 1385 verify_callback(int ok, X509_STORE_CTX *ctx) 1386 { 1387 char *s, buf[256]; 1388 1389 s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, 1390 sizeof buf); 1391 if (s != NULL) { 1392 if (ok) 1393 fprintf(stderr, "depth=%d %s\n", 1394 ctx->error_depth, buf); 1395 else { 1396 fprintf(stderr, "depth=%d error=%d %s\n", 1397 ctx->error_depth, ctx->error, buf); 1398 } 1399 } 1400 1401 if (ok == 0) { 1402 fprintf(stderr, "Error string: %s\n", 1403 X509_verify_cert_error_string(ctx->error)); 1404 switch (ctx->error) { 1405 case X509_V_ERR_CERT_NOT_YET_VALID: 1406 case X509_V_ERR_CERT_HAS_EXPIRED: 1407 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 1408 fprintf(stderr, " ... ignored.\n"); 1409 ok = 1; 1410 } 1411 } 1412 1413 if (ok == 1) { 1414 X509 *xs = ctx->current_cert; 1415 #if 0 1416 X509 *xi = ctx->current_issuer; 1417 #endif 1418 1419 if (xs->ex_flags & EXFLAG_PROXY) { 1420 unsigned int *letters = 1421 X509_STORE_CTX_get_ex_data(ctx, 1422 get_proxy_auth_ex_data_idx()); 1423 1424 if (letters) { 1425 int found_any = 0; 1426 int i; 1427 PROXY_CERT_INFO_EXTENSION *pci = 1428 X509_get_ext_d2i(xs, NID_proxyCertInfo, 1429 NULL, NULL); 1430 1431 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) { 1432 case NID_Independent: 1433 /* Completely meaningless in this 1434 program, as there's no way to 1435 grant explicit rights to a 1436 specific PrC. Basically, using 1437 id-ppl-Independent is the perfect 1438 way to grant no rights at all. */ 1439 fprintf(stderr, " Independent proxy certificate"); 1440 for (i = 0; i < 26; i++) 1441 letters[i] = 0; 1442 break; 1443 case NID_id_ppl_inheritAll: 1444 /* This is basically a NOP, we 1445 simply let the current rights 1446 stand as they are. */ 1447 fprintf(stderr, " Proxy certificate inherits all"); 1448 break; 1449 default: 1450 s = (char *) 1451 pci->proxyPolicy->policy->data; 1452 i = pci->proxyPolicy->policy->length; 1453 1454 /* The algorithm works as follows: 1455 it is assumed that previous 1456 iterations or the initial granted 1457 rights has already set some elements 1458 of `letters'. What we need to do is 1459 to clear those that weren't granted 1460 by the current PrC as well. The 1461 easiest way to do this is to add 1 1462 to all the elements whose letters 1463 are given with the current policy. 1464 That way, all elements that are set 1465 by the current policy and were 1466 already set by earlier policies and 1467 through the original grant of rights 1468 will get the value 2 or higher. 1469 The last thing to do is to sweep 1470 through `letters' and keep the 1471 elements having the value 2 as set, 1472 and clear all the others. */ 1473 1474 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); 1475 while (i-- > 0) { 1476 int c = *s++; 1477 if (isascii(c) && isalpha(c)) { 1478 if (islower(c)) 1479 c = toupper(c); 1480 letters[c - 'A']++; 1481 } 1482 } 1483 for (i = 0; i < 26; i++) 1484 if (letters[i] < 2) 1485 letters[i] = 0; 1486 else 1487 letters[i] = 1; 1488 } 1489 1490 found_any = 0; 1491 fprintf(stderr, ", resulting proxy rights = "); 1492 for (i = 0; i < 26; i++) 1493 if (letters[i]) { 1494 fprintf(stderr, "%c", i + 'A'); 1495 found_any = 1; 1496 } 1497 if (!found_any) 1498 fprintf(stderr, "none"); 1499 fprintf(stderr, "\n"); 1500 1501 PROXY_CERT_INFO_EXTENSION_free(pci); 1502 } 1503 } 1504 } 1505 1506 return (ok); 1507 } 1508 1509 static void 1510 process_proxy_debug(int indent, const char *format, ...) 1511 { 1512 static const char indentation[] = 1513 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 1514 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ 1515 char my_format[256]; 1516 va_list args; 1517 1518 (void) snprintf(my_format, sizeof(my_format), "%*.*s %s", 1519 indent, indent, indentation, format); 1520 1521 va_start(args, format); 1522 vfprintf(stderr, my_format, args); 1523 va_end(args); 1524 } 1525 /* Priority levels: 1526 0 [!]var, () 1527 1 & ^ 1528 2 | 1529 */ 1530 static int process_proxy_cond_adders(unsigned int letters[26], 1531 const char *cond, const char **cond_end, int *pos, int indent); 1532 1533 static int 1534 process_proxy_cond_val(unsigned int letters[26], const char *cond, 1535 const char **cond_end, int *pos, int indent) 1536 { 1537 int c; 1538 int ok = 1; 1539 int negate = 0; 1540 1541 while (isspace((int)*cond)) { 1542 cond++; 1543 (*pos)++; 1544 } 1545 c = *cond; 1546 1547 if (debug) 1548 process_proxy_debug(indent, 1549 "Start process_proxy_cond_val at position %d: %s\n", 1550 *pos, cond); 1551 1552 while (c == '!') { 1553 negate = !negate; 1554 cond++; 1555 (*pos)++; 1556 while (isspace((int)*cond)) { 1557 cond++; 1558 (*pos)++; 1559 } 1560 c = *cond; 1561 } 1562 1563 if (c == '(') { 1564 cond++; 1565 (*pos)++; 1566 ok = process_proxy_cond_adders(letters, cond, cond_end, pos, 1567 indent + 1); 1568 cond = *cond_end; 1569 if (ok < 0) 1570 goto end; 1571 while (isspace((int)*cond)) { 1572 cond++; 1573 (*pos)++; 1574 } 1575 c = *cond; 1576 if (c != ')') { 1577 fprintf(stderr, 1578 "Weird condition character in position %d: " 1579 "%c\n", *pos, c); 1580 ok = -1; 1581 goto end; 1582 } 1583 cond++; 1584 (*pos)++; 1585 } else if (isascii(c) && isalpha(c)) { 1586 if (islower(c)) 1587 c = toupper(c); 1588 ok = letters[c - 'A']; 1589 cond++; 1590 (*pos)++; 1591 } else { 1592 fprintf(stderr, 1593 "Weird condition character in position %d: " 1594 "%c\n", *pos, c); 1595 ok = -1; 1596 goto end; 1597 } 1598 end: 1599 *cond_end = cond; 1600 if (ok >= 0 && negate) 1601 ok = !ok; 1602 1603 if (debug) 1604 process_proxy_debug(indent, 1605 "End process_proxy_cond_val at position %d: %s, returning %d\n", 1606 *pos, cond, ok); 1607 1608 return ok; 1609 } 1610 1611 static int 1612 process_proxy_cond_multipliers(unsigned int letters[26], const char *cond, 1613 const char **cond_end, int *pos, int indent) 1614 { 1615 int ok; 1616 char c; 1617 1618 if (debug) 1619 process_proxy_debug(indent, 1620 "Start process_proxy_cond_multipliers at position %d: %s\n", 1621 *pos, cond); 1622 1623 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); 1624 cond = *cond_end; 1625 if (ok < 0) 1626 goto end; 1627 1628 while (ok >= 0) { 1629 while (isspace((int)*cond)) { 1630 cond++; 1631 (*pos)++; 1632 } 1633 c = *cond; 1634 1635 switch (c) { 1636 case '&': 1637 case '^': 1638 { 1639 int save_ok = ok; 1640 1641 cond++; 1642 (*pos)++; 1643 ok = process_proxy_cond_val(letters, 1644 cond, cond_end, pos, indent + 1); 1645 cond = *cond_end; 1646 if (ok < 0) 1647 break; 1648 1649 switch (c) { 1650 case '&': 1651 ok &= save_ok; 1652 break; 1653 case '^': 1654 ok ^= save_ok; 1655 break; 1656 default: 1657 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1658 " STOPPING\n"); 1659 exit(1); 1660 } 1661 } 1662 break; 1663 default: 1664 goto end; 1665 } 1666 } 1667 end: 1668 if (debug) 1669 process_proxy_debug(indent, 1670 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", 1671 *pos, cond, ok); 1672 1673 *cond_end = cond; 1674 return ok; 1675 } 1676 1677 static int 1678 process_proxy_cond_adders(unsigned int letters[26], const char *cond, 1679 const char **cond_end, int *pos, int indent) 1680 { 1681 int ok; 1682 char c; 1683 1684 if (debug) 1685 process_proxy_debug(indent, 1686 "Start process_proxy_cond_adders at position %d: %s\n", 1687 *pos, cond); 1688 1689 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, 1690 indent + 1); 1691 cond = *cond_end; 1692 if (ok < 0) 1693 goto end; 1694 1695 while (ok >= 0) { 1696 while (isspace((int)*cond)) { 1697 cond++; 1698 (*pos)++; 1699 } 1700 c = *cond; 1701 1702 switch (c) { 1703 case '|': 1704 { 1705 int save_ok = ok; 1706 1707 cond++; 1708 (*pos)++; 1709 ok = process_proxy_cond_multipliers(letters, 1710 cond, cond_end, pos, indent + 1); 1711 cond = *cond_end; 1712 if (ok < 0) 1713 break; 1714 1715 switch (c) { 1716 case '|': 1717 ok |= save_ok; 1718 break; 1719 default: 1720 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1721 " STOPPING\n"); 1722 exit(1); 1723 } 1724 } 1725 break; 1726 default: 1727 goto end; 1728 } 1729 } 1730 end: 1731 if (debug) 1732 process_proxy_debug(indent, 1733 "End process_proxy_cond_adders at position %d: %s, returning %d\n", 1734 *pos, cond, ok); 1735 1736 *cond_end = cond; 1737 return ok; 1738 } 1739 1740 static int 1741 process_proxy_cond(unsigned int letters[26], const char *cond, 1742 const char **cond_end) 1743 { 1744 int pos = 1; 1745 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); 1746 } 1747 1748 static int 1749 app_verify_callback(X509_STORE_CTX *ctx, void *arg) 1750 { 1751 int ok = 1; 1752 struct app_verify_arg *cb_arg = arg; 1753 unsigned int letters[26]; /* only used with proxy_auth */ 1754 1755 if (cb_arg->app_verify) { 1756 char *s = NULL, buf[256]; 1757 1758 fprintf(stderr, "In app_verify_callback, allowing cert. "); 1759 fprintf(stderr, "Arg is: %s\n", cb_arg->string); 1760 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", 1761 (void *)ctx, (void *)ctx->cert); 1762 if (ctx->cert) 1763 s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256); 1764 if (s != NULL) { 1765 fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf); 1766 } 1767 return (1); 1768 } 1769 if (cb_arg->proxy_auth) { 1770 int found_any = 0, i; 1771 char *sp; 1772 1773 for (i = 0; i < 26; i++) 1774 letters[i] = 0; 1775 for (sp = cb_arg->proxy_auth; *sp; sp++) { 1776 int c = *sp; 1777 if (isascii(c) && isalpha(c)) { 1778 if (islower(c)) 1779 c = toupper(c); 1780 letters[c - 'A'] = 1; 1781 } 1782 } 1783 1784 fprintf(stderr, " Initial proxy rights = "); 1785 for (i = 0; i < 26; i++) 1786 if (letters[i]) { 1787 fprintf(stderr, "%c", i + 'A'); 1788 found_any = 1; 1789 } 1790 if (!found_any) 1791 fprintf(stderr, "none"); 1792 fprintf(stderr, "\n"); 1793 1794 X509_STORE_CTX_set_ex_data(ctx, 1795 get_proxy_auth_ex_data_idx(), letters); 1796 } 1797 if (cb_arg->allow_proxy_certs) { 1798 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); 1799 } 1800 1801 #ifndef OPENSSL_NO_X509_VERIFY 1802 ok = X509_verify_cert(ctx); 1803 #endif 1804 1805 if (cb_arg->proxy_auth) { 1806 if (ok > 0) { 1807 const char *cond_end = NULL; 1808 1809 ok = process_proxy_cond(letters, 1810 cb_arg->proxy_cond, &cond_end); 1811 1812 if (ok < 0) 1813 exit(3); 1814 if (*cond_end) { 1815 fprintf(stderr, "Stopped processing condition before it's end.\n"); 1816 ok = 0; 1817 } 1818 if (!ok) 1819 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", 1820 cb_arg->proxy_cond); 1821 else 1822 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", 1823 cb_arg->proxy_cond); 1824 } 1825 } 1826 return (ok); 1827 } 1828 1829 static RSA *rsa_tmp = NULL; 1830 1831 static RSA * 1832 tmp_rsa_cb(SSL *s, int is_export, int keylength) 1833 { 1834 BIGNUM *bn = NULL; 1835 if (rsa_tmp == NULL) { 1836 bn = BN_new(); 1837 rsa_tmp = RSA_new(); 1838 if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) { 1839 BIO_printf(bio_err, "Memory error..."); 1840 goto end; 1841 } 1842 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength); 1843 (void)BIO_flush(bio_err); 1844 if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) { 1845 BIO_printf(bio_err, "Error generating key."); 1846 RSA_free(rsa_tmp); 1847 rsa_tmp = NULL; 1848 } 1849 end: 1850 BIO_printf(bio_err, "\n"); 1851 (void)BIO_flush(bio_err); 1852 } 1853 if (bn) 1854 BN_free(bn); 1855 return (rsa_tmp); 1856 } 1857 1858 static void 1859 free_tmp_rsa(void) 1860 { 1861 if (rsa_tmp != NULL) { 1862 RSA_free(rsa_tmp); 1863 rsa_tmp = NULL; 1864 } 1865 } 1866 1867 #ifndef OPENSSL_NO_DH 1868 /* These DH parameters have been generated as follows: 1869 * $ openssl dhparam -C -noout 512 1870 * $ openssl dhparam -C -noout 1024 1871 * $ openssl dhparam -C -noout -dsaparam 1024 1872 * (The third function has been renamed to avoid name conflicts.) 1873 */ 1874 static DH * 1875 get_dh512() 1876 { 1877 static unsigned char dh512_p[] = { 1878 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0, 0xC6, 1879 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04, 0xB0, 1880 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9, 0x5F, 1881 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33, 0xB8, 1882 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21, 0x33, 1883 0x02, 0xC5, 0xAE, 0x23, 1884 }; 1885 static unsigned char dh512_g[] = { 1886 0x02, 1887 }; 1888 DH *dh; 1889 1890 if ((dh = DH_new()) == NULL) return (NULL); 1891 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); 1892 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); 1893 if ((dh->p == NULL) || (dh->g == NULL)) { 1894 DH_free(dh); 1895 return (NULL); 1896 } 1897 return (dh); 1898 } 1899 1900 static DH * 1901 get_dh1024() 1902 { 1903 static unsigned char dh1024_p[] = { 1904 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF, 0x3A, 1905 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56, 0xA2, 1906 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F, 0xB0, 1907 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87, 0xC2, 1908 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0, 0x8C, 1909 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F, 0xB8, 1910 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D, 0x52, 1911 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC, 0xC1, 1912 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB, 0xB1, 1913 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89, 0xAB, 1914 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53, 1915 }; 1916 static unsigned char dh1024_g[] = { 1917 0x02, 1918 }; 1919 DH *dh; 1920 1921 if ((dh = DH_new()) == NULL) return (NULL); 1922 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); 1923 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); 1924 if ((dh->p == NULL) || (dh->g == NULL)) { 1925 DH_free(dh); 1926 return (NULL); 1927 } 1928 return (dh); 1929 } 1930 1931 static DH * 1932 get_dh1024dsa() 1933 { 1934 static unsigned char dh1024_p[] = { 1935 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5, 0x00, 1936 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87, 0x19, 1937 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65, 0xD2, 1938 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6, 0x55, 1939 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF, 0xFC, 1940 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52, 0x97, 1941 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28, 0x8D, 1942 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD, 0xBB, 1943 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C, 0xF6, 1944 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26, 0x9E, 1945 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39, 1946 }; 1947 static unsigned char dh1024_g[] = { 1948 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80, 0x05, 1949 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03, 0xF3, 1950 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A, 0xE9, 1951 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85, 0x3C, 1952 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B, 0x65, 1953 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF, 0x60, 1954 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E, 0xF6, 1955 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB, 0xA7, 1956 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72, 0xA1, 1957 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E, 0x60, 1958 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2, 1959 }; 1960 DH *dh; 1961 1962 if ((dh = DH_new()) == NULL) return (NULL); 1963 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); 1964 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); 1965 if ((dh->p == NULL) || (dh->g == NULL)) { 1966 DH_free(dh); 1967 return (NULL); 1968 } 1969 dh->length = 160; 1970 return (dh); 1971 } 1972 #endif 1973 1974 static int 1975 do_test_cipherlist(void) 1976 { 1977 int i = 0; 1978 const SSL_METHOD *meth; 1979 const SSL_CIPHER *ci, *tci = NULL; 1980 1981 fprintf(stderr, "testing SSLv3 cipher list order: "); 1982 meth = SSLv3_method(); 1983 tci = NULL; 1984 while ((ci = meth->get_cipher(i++)) != NULL) { 1985 if (tci != NULL) 1986 if (ci->id >= tci->id) { 1987 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 1988 return 0; 1989 } 1990 tci = ci; 1991 } 1992 fprintf(stderr, "ok\n"); 1993 fprintf(stderr, "testing TLSv1 cipher list order: "); 1994 meth = TLSv1_method(); 1995 tci = NULL; 1996 while ((ci = meth->get_cipher(i++)) != NULL) { 1997 if (tci != NULL) 1998 if (ci->id >= tci->id) { 1999 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2000 return 0; 2001 } 2002 tci = ci; 2003 } 2004 fprintf(stderr, "ok\n"); 2005 2006 return 1; 2007 } 2008