Symaptic: os/ossrv/ssl/libssl/src/ssltest.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/ssltest.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111	/* ====================================================================
sl@0	112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
sl@0	113	* ECC cipher suite support in OpenSSL originally developed by
sl@0	114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
sl@0	115	*/
sl@0	116
sl@0	117	#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
sl@0	118	on Linux and GNU platforms. */
sl@0	119
sl@0	120	#include <assert.h>
sl@0	121	#include <errno.h>
sl@0	122	#include <limits.h>
sl@0	123	#include <stdio.h>
sl@0	124	#include <stdlib.h>
sl@0	125	#include <string.h>
sl@0	126	#include <time.h>
sl@0	127
sl@0	128	#define USE_SOCKETS
sl@0	129	#include "e_os.h"
sl@0	130
sl@0	131	#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
sl@0	132	VMS (at least with DECompHP C). */
sl@0	133	#include <ctype.h>
sl@0	134
sl@0	135	#include <openssl/bio.h>
sl@0	136	#include <openssl/crypto.h>
sl@0	137	#include <openssl/evp.h>
sl@0	138	#include <openssl/x509.h>
sl@0	139	#include <openssl/x509v3.h>
sl@0	140	#include <openssl/ssl.h>
sl@0	141	#ifndef OPENSSL_NO_ENGINE
sl@0	142	#include <openssl/engine.h>
sl@0	143	#endif
sl@0	144	#include <openssl/err.h>
sl@0	145	#include <openssl/rand.h>
sl@0	146	#ifndef OPENSSL_NO_RSA
sl@0	147	#include <openssl/rsa.h>
sl@0	148	#endif
sl@0	149	#ifndef OPENSSL_NO_DSA
sl@0	150	#include <openssl/dsa.h>
sl@0	151	#endif
sl@0	152	#ifndef OPENSSL_NO_DH
sl@0	153	#include <openssl/dh.h>
sl@0	154	#endif
sl@0	155	#include <openssl/bn.h>
sl@0	156
sl@0	157	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
sl@0	158	on Compaq platforms (at least with DEC C).
sl@0	159	Do not try to put it earlier, or IPv6 includes
sl@0	160	get screwed...
sl@0	161	*/
sl@0	162
sl@0	163	#ifdef OPENSSL_SYS_WINDOWS
sl@0	164	#include <winsock.h>
sl@0	165	#else
sl@0	166	#include OPENSSL_UNISTD
sl@0	167	#endif
sl@0	168
sl@0	169	#ifdef OPENSSL_SYS_VMS
sl@0	170	# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
sl@0	171	# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
sl@0	172	#elif defined(OPENSSL_SYS_WINCE)
sl@0	173	# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
sl@0	174	# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
sl@0	175	#elif defined(OPENSSL_SYS_NETWARE)
sl@0	176	# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
sl@0	177	# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
sl@0	178	#else
sl@0	179	# define TEST_SERVER_CERT "../apps/server.pem"
sl@0	180	# define TEST_CLIENT_CERT "../apps/client.pem"
sl@0	181	#endif
sl@0	182
sl@0	183	/* There is really no standard for this, so let's assign some tentative
sl@0	184	numbers. In any case, these numbers are only for this test */
sl@0	185	#define COMP_RLE 255
sl@0	186	#define COMP_ZLIB 1
sl@0	187
sl@0	188	static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
sl@0	189	#ifndef OPENSSL_NO_RSA
sl@0	190	static RSA MS_CALLBACK tmp_rsa_cb(SSL s, int is_export,int keylength);
sl@0	191	static void free_tmp_rsa(void);
sl@0	192	#endif
sl@0	193	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg);
sl@0	194	#define APP_CALLBACK_STRING "Test Callback Argument"
sl@0	195	struct app_verify_arg
sl@0	196	{
sl@0	197	char *string;
sl@0	198	int app_verify;
sl@0	199	int allow_proxy_certs;
sl@0	200	char *proxy_auth;
sl@0	201	char *proxy_cond;
sl@0	202	};
sl@0	203
sl@0	204	#ifndef OPENSSL_NO_DH
sl@0	205	static DH *get_dh512(void);
sl@0	206	static DH *get_dh1024(void);
sl@0	207	static DH *get_dh1024dsa(void);
sl@0	208	#endif
sl@0	209
sl@0	210	static BIO *bio_err=NULL;
sl@0	211	static BIO *bio_stdout=NULL;
sl@0	212
sl@0	213	static char *cipher=NULL;
sl@0	214	static int verbose=0;
sl@0	215	static int debug=0;
sl@0	216	#if 0
sl@0	217	/* Not used yet. */
sl@0	218	#ifdef FIONBIO
sl@0	219	static int s_nbio=0;
sl@0	220	#endif
sl@0	221	#endif
sl@0	222
sl@0	223	static const char rnd_seed[] = "string to make the random number generator think it has entropy";
sl@0	224
sl@0	225	int doit_biopair(SSL s_ssl,SSL c_ssl,long bytes,clock_t s_time,clock_t c_time);
sl@0	226	int doit(SSL s_ssl,SSL c_ssl,long bytes);
sl@0	227	static int do_test_cipherlist(void);
sl@0	228	static void sv_usage(void)
sl@0	229	{
sl@0	230	fprintf(stderr,"usage: ssltest [args ...]\n");
sl@0	231	fprintf(stderr,"\n");
sl@0	232	fprintf(stderr," -server_auth - check server certificate\n");
sl@0	233	fprintf(stderr," -client_auth - do client authentication\n");
sl@0	234	fprintf(stderr," -proxy - allow proxy certificates\n");
sl@0	235	fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
sl@0	236	fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
sl@0	237	fprintf(stderr," -v - more output\n");
sl@0	238	fprintf(stderr," -d - debug output\n");
sl@0	239	fprintf(stderr," -reuse - use session-id reuse\n");
sl@0	240	fprintf(stderr," -num <val> - number of connections to perform\n");
sl@0	241	fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
sl@0	242	#ifndef OPENSSL_NO_DH
sl@0	243	fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
sl@0	244	fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
sl@0	245	fprintf(stderr," -no_dhe - disable DHE\n");
sl@0	246	#endif
sl@0	247	#ifndef OPENSSL_NO_ECDH
sl@0	248	fprintf(stderr," -no_ecdhe - disable ECDHE\n");
sl@0	249	#endif
sl@0	250	#ifndef OPENSSL_NO_SSL2
sl@0	251	fprintf(stderr," -ssl2 - use SSLv2\n");
sl@0	252	#endif
sl@0	253	#ifndef OPENSSL_NO_SSL3
sl@0	254	fprintf(stderr," -ssl3 - use SSLv3\n");
sl@0	255	#endif
sl@0	256	#ifndef OPENSSL_NO_TLS1
sl@0	257	fprintf(stderr," -tls1 - use TLSv1\n");
sl@0	258	#endif
sl@0	259	fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
sl@0	260	fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
sl@0	261	fprintf(stderr," -cert arg - Server certificate file\n");
sl@0	262	fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
sl@0	263	fprintf(stderr," -c_cert arg - Client certificate file\n");
sl@0	264	fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
sl@0	265	fprintf(stderr," -cipher arg - The cipher list\n");
sl@0	266	fprintf(stderr," -bio_pair - Use BIO pairs\n");
sl@0	267	fprintf(stderr," -f - Test even cases that can't work\n");
sl@0	268	fprintf(stderr," -time - measure processor time used by client and server\n");
sl@0	269	fprintf(stderr," -zlib - use zlib compression\n");
sl@0	270	fprintf(stderr," -rle - use rle compression\n");
sl@0	271	#ifndef OPENSSL_NO_ECDH
sl@0	272	fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
sl@0	273	" Use \"openssl ecparam -list_curves\" for all names\n" \
sl@0	274	" (default is sect163r2).\n");
sl@0	275	#endif
sl@0	276	fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
sl@0	277	}
sl@0	278
sl@0	279	static void print_details(SSL c_ssl, const char prefix)
sl@0	280	{
sl@0	281	SSL_CIPHER *ciph;
sl@0	282	X509 *cert;
sl@0	283
sl@0	284	ciph=SSL_get_current_cipher(c_ssl);
sl@0	285	BIO_printf(bio_stdout,"%s%s, cipher %s %s",
sl@0	286	prefix,
sl@0	287	SSL_get_version(c_ssl),
sl@0	288	SSL_CIPHER_get_version(ciph),
sl@0	289	SSL_CIPHER_get_name(ciph));
sl@0	290	cert=SSL_get_peer_certificate(c_ssl);
sl@0	291	if (cert != NULL)
sl@0	292	{
sl@0	293	EVP_PKEY *pkey = X509_get_pubkey(cert);
sl@0	294	if (pkey != NULL)
sl@0	295	{
sl@0	296	if (0)
sl@0	297	;
sl@0	298	#ifndef OPENSSL_NO_RSA
sl@0	299	else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
sl@0	300	&& pkey->pkey.rsa->n != NULL)
sl@0	301	{
sl@0	302	BIO_printf(bio_stdout, ", %d bit RSA",
sl@0	303	BN_num_bits(pkey->pkey.rsa->n));
sl@0	304	}
sl@0	305	#endif
sl@0	306	#ifndef OPENSSL_NO_DSA
sl@0	307	else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
sl@0	308	&& pkey->pkey.dsa->p != NULL)
sl@0	309	{
sl@0	310	BIO_printf(bio_stdout, ", %d bit DSA",
sl@0	311	BN_num_bits(pkey->pkey.dsa->p));
sl@0	312	}
sl@0	313	#endif
sl@0	314	EVP_PKEY_free(pkey);
sl@0	315	}
sl@0	316	X509_free(cert);
sl@0	317	}
sl@0	318	/* The SSL API does not allow us to look at temporary RSA/DH keys,
sl@0	319	* otherwise we should print their lengths too */
sl@0	320	BIO_printf(bio_stdout,"\n");
sl@0	321	}
sl@0	322
sl@0	323	static void lock_dbg_cb(int mode, int type, const char *file, int line)
sl@0	324	{
sl@0	325	static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
sl@0	326	const char *errstr = NULL;
sl@0	327	int rw;
sl@0	328
sl@0	329	rw = mode & (CRYPTO_READ\|CRYPTO_WRITE);
sl@0	330	if (!((rw == CRYPTO_READ) \|\| (rw == CRYPTO_WRITE)))
sl@0	331	{
sl@0	332	errstr = "invalid mode";
sl@0	333	goto err;
sl@0	334	}
sl@0	335
sl@0	336	if (type < 0 \|\| type >= CRYPTO_NUM_LOCKS)
sl@0	337	{
sl@0	338	errstr = "type out of bounds";
sl@0	339	goto err;
sl@0	340	}
sl@0	341
sl@0	342	if (mode & CRYPTO_LOCK)
sl@0	343	{
sl@0	344	if (modes[type])
sl@0	345	{
sl@0	346	errstr = "already locked";
sl@0	347	/* must not happen in a single-threaded program
sl@0	348	* (would deadlock) */
sl@0	349	goto err;
sl@0	350	}
sl@0	351
sl@0	352	modes[type] = rw;
sl@0	353	}
sl@0	354	else if (mode & CRYPTO_UNLOCK)
sl@0	355	{
sl@0	356	if (!modes[type])
sl@0	357	{
sl@0	358	errstr = "not locked";
sl@0	359	goto err;
sl@0	360	}
sl@0	361
sl@0	362	if (modes[type] != rw)
sl@0	363	{
sl@0	364	errstr = (rw == CRYPTO_READ) ?
sl@0	365	"CRYPTO_r_unlock on write lock" :
sl@0	366	"CRYPTO_w_unlock on read lock";
sl@0	367	}
sl@0	368
sl@0	369	modes[type] = 0;
sl@0	370	}
sl@0	371	else
sl@0	372	{
sl@0	373	errstr = "invalid mode";
sl@0	374	goto err;
sl@0	375	}
sl@0	376
sl@0	377	err:
sl@0	378	if (errstr)
sl@0	379	{
sl@0	380	/* we cannot use bio_err here */
sl@0	381	fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
sl@0	382	errstr, mode, type, file, line);
sl@0	383	}
sl@0	384	}
sl@0	385
sl@0	386
sl@0	387	int main(int argc, char *argv[])
sl@0	388	{
sl@0	389	char CApath=NULL,CAfile=NULL;
sl@0	390	int badop=0;
sl@0	391	int bio_pair=0;
sl@0	392	int force=0;
sl@0	393	int tls1=0,ssl2=0,ssl3=0,ret=1;
sl@0	394	int client_auth=0;
sl@0	395	int server_auth=0,i;
sl@0	396	struct app_verify_arg app_verify_arg =
sl@0	397	{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
sl@0	398	char *server_cert=TEST_SERVER_CERT;
sl@0	399	char *server_key=NULL;
sl@0	400	char *client_cert=TEST_CLIENT_CERT;
sl@0	401	char *client_key=NULL;
sl@0	402	#ifndef OPENSSL_NO_ECDH
sl@0	403	char *named_curve = NULL;
sl@0	404	#endif
sl@0	405	SSL_CTX *s_ctx=NULL;
sl@0	406	SSL_CTX *c_ctx=NULL;
sl@0	407	SSL_METHOD *meth=NULL;
sl@0	408	SSL c_ssl,s_ssl;
sl@0	409	int number=1,reuse=0;
sl@0	410	long bytes=256L;
sl@0	411	#ifndef OPENSSL_NO_DH
sl@0	412	DH *dh;
sl@0	413	int dhe1024 = 0, dhe1024dsa = 0;
sl@0	414	#endif
sl@0	415	#ifndef OPENSSL_NO_ECDH
sl@0	416	EC_KEY *ecdh = NULL;
sl@0	417	#endif
sl@0	418	int no_dhe = 0;
sl@0	419	int no_ecdhe = 0;
sl@0	420	int print_time = 0;
sl@0	421	clock_t s_time = 0, c_time = 0;
sl@0	422	int comp = 0;
sl@0	423	#ifndef OPENSSL_NO_COMP
sl@0	424	COMP_METHOD *cm = NULL;
sl@0	425	#endif
sl@0	426	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
sl@0	427	int test_cipherlist = 0;
sl@0	428
sl@0	429	verbose = 0;
sl@0	430	debug = 0;
sl@0	431	cipher = 0;
sl@0	432
sl@0	433	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
sl@0	434
sl@0	435	CRYPTO_set_locking_callback(lock_dbg_cb);
sl@0	436
sl@0	437	/* enable memory leak checking unless explicitly disabled */
sl@0	438	if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
sl@0	439	{
sl@0	440	CRYPTO_malloc_debug_init();
sl@0	441	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
sl@0	442	}
sl@0	443	else
sl@0	444	{
sl@0	445	/* OPENSSL_DEBUG_MEMORY=off */
sl@0	446	CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
sl@0	447	}
sl@0	448	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
sl@0	449
sl@0	450	RAND_seed(rnd_seed, sizeof rnd_seed);
sl@0	451
sl@0	452	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
sl@0	453
sl@0	454	argc--;
sl@0	455	argv++;
sl@0	456
sl@0	457	while (argc >= 1)
sl@0	458	{
sl@0	459	if (strcmp(*argv,"-server_auth") == 0)
sl@0	460	server_auth=1;
sl@0	461	else if (strcmp(*argv,"-client_auth") == 0)
sl@0	462	client_auth=1;
sl@0	463	else if (strcmp(*argv,"-proxy_auth") == 0)
sl@0	464	{
sl@0	465	if (--argc < 1) goto bad;
sl@0	466	app_verify_arg.proxy_auth= *(++argv);
sl@0	467	}
sl@0	468	else if (strcmp(*argv,"-proxy_cond") == 0)
sl@0	469	{
sl@0	470	if (--argc < 1) goto bad;
sl@0	471	app_verify_arg.proxy_cond= *(++argv);
sl@0	472	}
sl@0	473	else if (strcmp(*argv,"-v") == 0)
sl@0	474	verbose=1;
sl@0	475	else if (strcmp(*argv,"-d") == 0)
sl@0	476	debug=1;
sl@0	477	else if (strcmp(*argv,"-reuse") == 0)
sl@0	478	reuse=1;
sl@0	479	else if (strcmp(*argv,"-dhe1024") == 0)
sl@0	480	{
sl@0	481	#ifndef OPENSSL_NO_DH
sl@0	482	dhe1024=1;
sl@0	483	#else
sl@0	484	fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
sl@0	485	#endif
sl@0	486	}
sl@0	487	else if (strcmp(*argv,"-dhe1024dsa") == 0)
sl@0	488	{
sl@0	489	#ifndef OPENSSL_NO_DH
sl@0	490	dhe1024dsa=1;
sl@0	491	#else
sl@0	492	fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
sl@0	493	#endif
sl@0	494	}
sl@0	495	else if (strcmp(*argv,"-no_dhe") == 0)
sl@0	496	no_dhe=1;
sl@0	497	else if (strcmp(*argv,"-no_ecdhe") == 0)
sl@0	498	no_ecdhe=1;
sl@0	499	else if (strcmp(*argv,"-ssl2") == 0)
sl@0	500	ssl2=1;
sl@0	501	else if (strcmp(*argv,"-tls1") == 0)
sl@0	502	tls1=1;
sl@0	503	else if (strcmp(*argv,"-ssl3") == 0)
sl@0	504	ssl3=1;
sl@0	505	else if (strncmp(*argv,"-num",4) == 0)
sl@0	506	{
sl@0	507	if (--argc < 1) goto bad;
sl@0	508	number= atoi(*(++argv));
sl@0	509	if (number == 0) number=1;
sl@0	510	}
sl@0	511	else if (strcmp(*argv,"-bytes") == 0)
sl@0	512	{
sl@0	513	if (--argc < 1) goto bad;
sl@0	514	bytes= atol(*(++argv));
sl@0	515	if (bytes == 0L) bytes=1L;
sl@0	516	i=strlen(argv[0]);
sl@0	517	if (argv[0][i-1] == 'k') bytes*=1024L;
sl@0	518	if (argv[0][i-1] == 'm') bytes=1024L1024L;
sl@0	519	}
sl@0	520	else if (strcmp(*argv,"-cert") == 0)
sl@0	521	{
sl@0	522	if (--argc < 1) goto bad;
sl@0	523	server_cert= *(++argv);
sl@0	524	}
sl@0	525	else if (strcmp(*argv,"-s_cert") == 0)
sl@0	526	{
sl@0	527	if (--argc < 1) goto bad;
sl@0	528	server_cert= *(++argv);
sl@0	529	}
sl@0	530	else if (strcmp(*argv,"-key") == 0)
sl@0	531	{
sl@0	532	if (--argc < 1) goto bad;
sl@0	533	server_key= *(++argv);
sl@0	534	}
sl@0	535	else if (strcmp(*argv,"-s_key") == 0)
sl@0	536	{
sl@0	537	if (--argc < 1) goto bad;
sl@0	538	server_key= *(++argv);
sl@0	539	}
sl@0	540	else if (strcmp(*argv,"-c_cert") == 0)
sl@0	541	{
sl@0	542	if (--argc < 1) goto bad;
sl@0	543	client_cert= *(++argv);
sl@0	544	}
sl@0	545	else if (strcmp(*argv,"-c_key") == 0)
sl@0	546	{
sl@0	547	if (--argc < 1) goto bad;
sl@0	548	client_key= *(++argv);
sl@0	549	}
sl@0	550	else if (strcmp(*argv,"-cipher") == 0)
sl@0	551	{
sl@0	552	if (--argc < 1) goto bad;
sl@0	553	cipher= *(++argv);
sl@0	554	}
sl@0	555	else if (strcmp(*argv,"-CApath") == 0)
sl@0	556	{
sl@0	557	if (--argc < 1) goto bad;
sl@0	558	CApath= *(++argv);
sl@0	559	}
sl@0	560	else if (strcmp(*argv,"-CAfile") == 0)
sl@0	561	{
sl@0	562	if (--argc < 1) goto bad;
sl@0	563	CAfile= *(++argv);
sl@0	564	}
sl@0	565	else if (strcmp(*argv,"-bio_pair") == 0)
sl@0	566	{
sl@0	567	bio_pair = 1;
sl@0	568	}
sl@0	569	else if (strcmp(*argv,"-f") == 0)
sl@0	570	{
sl@0	571	force = 1;
sl@0	572	}
sl@0	573	else if (strcmp(*argv,"-time") == 0)
sl@0	574	{
sl@0	575	print_time = 1;
sl@0	576	}
sl@0	577	else if (strcmp(*argv,"-zlib") == 0)
sl@0	578	{
sl@0	579	comp = COMP_ZLIB;
sl@0	580	}
sl@0	581	else if (strcmp(*argv,"-rle") == 0)
sl@0	582	{
sl@0	583	comp = COMP_RLE;
sl@0	584	}
sl@0	585	else if (strcmp(*argv,"-named_curve") == 0)
sl@0	586	{
sl@0	587	if (--argc < 1) goto bad;
sl@0	588	#ifndef OPENSSL_NO_ECDH
sl@0	589	named_curve = *(++argv);
sl@0	590	#else
sl@0	591	fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
sl@0	592	++argv;
sl@0	593	#endif
sl@0	594	}
sl@0	595	else if (strcmp(*argv,"-app_verify") == 0)
sl@0	596	{
sl@0	597	app_verify_arg.app_verify = 1;
sl@0	598	}
sl@0	599	else if (strcmp(*argv,"-proxy") == 0)
sl@0	600	{
sl@0	601	app_verify_arg.allow_proxy_certs = 1;
sl@0	602	}
sl@0	603	else if (strcmp(*argv,"-test_cipherlist") == 0)
sl@0	604	{
sl@0	605	test_cipherlist = 1;
sl@0	606	}
sl@0	607	else
sl@0	608	{
sl@0	609	fprintf(stderr,"unknown option %s\n",*argv);
sl@0	610	badop=1;
sl@0	611	break;
sl@0	612	}
sl@0	613	argc--;
sl@0	614	argv++;
sl@0	615	}
sl@0	616	if (badop)
sl@0	617	{
sl@0	618	bad:
sl@0	619	sv_usage();
sl@0	620	goto end;
sl@0	621	}
sl@0	622
sl@0	623	if (test_cipherlist == 1)
sl@0	624	{
sl@0	625	/* ensure that the cipher list are correctly sorted and exit */
sl@0	626	if (do_test_cipherlist() == 0)
sl@0	627	EXIT(1);
sl@0	628	ret = 0;
sl@0	629	goto end;
sl@0	630	}
sl@0	631
sl@0	632	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
sl@0	633	{
sl@0	634	fprintf(stderr, "This case cannot work. Use -f to perform "
sl@0	635	"the test anyway (and\n-d to see what happens), "
sl@0	636	"or add one of -ssl2, -ssl3, -tls1, -reuse\n"
sl@0	637	"to avoid protocol mismatch.\n");
sl@0	638	EXIT(1);
sl@0	639	}
sl@0	640
sl@0	641	if (print_time)
sl@0	642	{
sl@0	643	if (!bio_pair)
sl@0	644	{
sl@0	645	fprintf(stderr, "Using BIO pair (-bio_pair)\n");
sl@0	646	bio_pair = 1;
sl@0	647	}
sl@0	648	if (number < 50 && !force)
sl@0	649	fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
sl@0	650	}
sl@0	651
sl@0	652	/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
sl@0	653
sl@0	654	SSL_library_init();
sl@0	655	SSL_load_error_strings();
sl@0	656
sl@0	657	#ifndef OPENSSL_NO_COMP
sl@0	658	if (comp == COMP_ZLIB) cm = COMP_zlib();
sl@0	659	if (comp == COMP_RLE) cm = COMP_rle();
sl@0	660	if (cm != NULL)
sl@0	661	{
sl@0	662	if (cm->type != NID_undef)
sl@0	663	{
sl@0	664	if (SSL_COMP_add_compression_method(comp, cm) != 0)
sl@0	665	{
sl@0	666	fprintf(stderr,
sl@0	667	"Failed to add compression method\n");
sl@0	668	ERR_print_errors_fp(stderr);
sl@0	669	}
sl@0	670	}
sl@0	671	else
sl@0	672	{
sl@0	673	fprintf(stderr,
sl@0	674	"Warning: %s compression not supported\n",
sl@0	675	(comp == COMP_RLE ? "rle" :
sl@0	676	(comp == COMP_ZLIB ? "zlib" :
sl@0	677	"unknown")));
sl@0	678	ERR_print_errors_fp(stderr);
sl@0	679	}
sl@0	680	}
sl@0	681	ssl_comp_methods = SSL_COMP_get_compression_methods();
sl@0	682	fprintf(stderr, "Available compression methods:\n");
sl@0	683	{
sl@0	684	int j, n = sk_SSL_COMP_num(ssl_comp_methods);
sl@0	685	if (n == 0)
sl@0	686	fprintf(stderr, " NONE\n");
sl@0	687	else
sl@0	688	for (j = 0; j < n; j++)
sl@0	689	{
sl@0	690	SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
sl@0	691	fprintf(stderr, " %d: %s\n", c->id, c->name);
sl@0	692	}
sl@0	693	}
sl@0	694	#endif
sl@0	695
sl@0	696	#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
sl@0	697	if (ssl2)
sl@0	698	meth=SSLv2_method();
sl@0	699	else
sl@0	700	if (tls1)
sl@0	701	meth=TLSv1_method();
sl@0	702	else
sl@0	703	if (ssl3)
sl@0	704	meth=SSLv3_method();
sl@0	705	else
sl@0	706	meth=SSLv23_method();
sl@0	707	#else
sl@0	708	#ifdef OPENSSL_NO_SSL2
sl@0	709	meth=SSLv3_method();
sl@0	710	#else
sl@0	711	meth=SSLv2_method();
sl@0	712	#endif
sl@0	713	#endif
sl@0	714
sl@0	715	c_ctx=SSL_CTX_new(meth);
sl@0	716	s_ctx=SSL_CTX_new(meth);
sl@0	717	if ((c_ctx == NULL) \|\| (s_ctx == NULL))
sl@0	718	{
sl@0	719	ERR_print_errors(bio_err);
sl@0	720	goto end;
sl@0	721	}
sl@0	722
sl@0	723	if (cipher != NULL)
sl@0	724	{
sl@0	725	SSL_CTX_set_cipher_list(c_ctx,cipher);
sl@0	726	SSL_CTX_set_cipher_list(s_ctx,cipher);
sl@0	727	}
sl@0	728
sl@0	729	#ifndef OPENSSL_NO_DH
sl@0	730	if (!no_dhe)
sl@0	731	{
sl@0	732	if (dhe1024dsa)
sl@0	733	{
sl@0	734	/* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
sl@0	735	SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
sl@0	736	dh=get_dh1024dsa();
sl@0	737	}
sl@0	738	else if (dhe1024)
sl@0	739	dh=get_dh1024();
sl@0	740	else
sl@0	741	dh=get_dh512();
sl@0	742	SSL_CTX_set_tmp_dh(s_ctx,dh);
sl@0	743	DH_free(dh);
sl@0	744	}
sl@0	745	#else
sl@0	746	(void)no_dhe;
sl@0	747	#endif
sl@0	748
sl@0	749	#ifndef OPENSSL_NO_ECDH
sl@0	750	if (!no_ecdhe)
sl@0	751	{
sl@0	752	int nid;
sl@0	753
sl@0	754	if (named_curve != NULL)
sl@0	755	{
sl@0	756	nid = OBJ_sn2nid(named_curve);
sl@0	757	if (nid == 0)
sl@0	758	{
sl@0	759	BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
sl@0	760	goto end;
sl@0	761	}
sl@0	762	}
sl@0	763	else
sl@0	764	nid = NID_sect163r2;
sl@0	765
sl@0	766	ecdh = EC_KEY_new_by_curve_name(nid);
sl@0	767	if (ecdh == NULL)
sl@0	768	{
sl@0	769	BIO_printf(bio_err, "unable to create curve\n");
sl@0	770	goto end;
sl@0	771	}
sl@0	772
sl@0	773	SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
sl@0	774	SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
sl@0	775	EC_KEY_free(ecdh);
sl@0	776	}
sl@0	777	#else
sl@0	778	(void)no_ecdhe;
sl@0	779	#endif
sl@0	780
sl@0	781	#ifndef OPENSSL_NO_RSA
sl@0	782	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
sl@0	783	#endif
sl@0	784
sl@0	785	if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
sl@0	786	{
sl@0	787	ERR_print_errors(bio_err);
sl@0	788	}
sl@0	789	else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
sl@0	790	(server_key?server_key:server_cert), SSL_FILETYPE_PEM))
sl@0	791	{
sl@0	792	ERR_print_errors(bio_err);
sl@0	793	goto end;
sl@0	794	}
sl@0	795
sl@0	796	if (client_auth)
sl@0	797	{
sl@0	798	SSL_CTX_use_certificate_file(c_ctx,client_cert,
sl@0	799	SSL_FILETYPE_PEM);
sl@0	800	SSL_CTX_use_PrivateKey_file(c_ctx,
sl@0	801	(client_key?client_key:client_cert),
sl@0	802	SSL_FILETYPE_PEM);
sl@0	803	}
sl@0	804
sl@0	805	if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) \|\|
sl@0	806	(!SSL_CTX_set_default_verify_paths(s_ctx)) \|\|
sl@0	807	(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) \|\|
sl@0	808	(!SSL_CTX_set_default_verify_paths(c_ctx)))
sl@0	809	{
sl@0	810	/* fprintf(stderr,"SSL_load_verify_locations\n"); */
sl@0	811	ERR_print_errors(bio_err);
sl@0	812	/* goto end; */
sl@0	813	}
sl@0	814
sl@0	815	if (client_auth)
sl@0	816	{
sl@0	817	BIO_printf(bio_err,"client authentication\n");
sl@0	818	SSL_CTX_set_verify(s_ctx,
sl@0	819	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
sl@0	820	verify_callback);
sl@0	821	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
sl@0	822	}
sl@0	823	if (server_auth)
sl@0	824	{
sl@0	825	BIO_printf(bio_err,"server authentication\n");
sl@0	826	SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
sl@0	827	verify_callback);
sl@0	828	SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
sl@0	829	}
sl@0	830
sl@0	831	{
sl@0	832	int session_id_context = 0;
sl@0	833	SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
sl@0	834	}
sl@0	835
sl@0	836	c_ssl=SSL_new(c_ctx);
sl@0	837	s_ssl=SSL_new(s_ctx);
sl@0	838
sl@0	839	#ifndef OPENSSL_NO_KRB5
sl@0	840	if (c_ssl && c_ssl->kssl_ctx)
sl@0	841	{
sl@0	842	char localhost[MAXHOSTNAMELEN+2];
sl@0	843
sl@0	844	if (gethostname(localhost, sizeof localhost-1) == 0)
sl@0	845	{
sl@0	846	localhost[sizeof localhost-1]='\0';
sl@0	847	if(strlen(localhost) == sizeof localhost-1)
sl@0	848	{
sl@0	849	BIO_printf(bio_err,"localhost name too long\n");
sl@0	850	goto end;
sl@0	851	}
sl@0	852	kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
sl@0	853	localhost);
sl@0	854	}
sl@0	855	}
sl@0	856	#endif /* OPENSSL_NO_KRB5 */
sl@0	857
sl@0	858	for (i=0; i<number; i++)
sl@0	859	{
sl@0	860	if (!reuse) SSL_set_session(c_ssl,NULL);
sl@0	861	if (bio_pair)
sl@0	862	ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
sl@0	863	else
sl@0	864	ret=doit(s_ssl,c_ssl,bytes);
sl@0	865	}
sl@0	866
sl@0	867	if (!verbose)
sl@0	868	{
sl@0	869	print_details(c_ssl, "");
sl@0	870	}
sl@0	871	if ((number > 1) \|\| (bytes > 1L))
sl@0	872	BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
sl@0	873	if (print_time)
sl@0	874	{
sl@0	875	#ifdef CLOCKS_PER_SEC
sl@0	876	/* "To determine the time in seconds, the value returned
sl@0	877	* by the clock function should be divided by the value
sl@0	878	* of the macro CLOCKS_PER_SEC."
sl@0	879	* -- ISO/IEC 9899 */
sl@0	880	BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
sl@0	881	"Approximate total client time: %6.2f s\n",
sl@0	882	(double)s_time/CLOCKS_PER_SEC,
sl@0	883	(double)c_time/CLOCKS_PER_SEC);
sl@0	884	#else
sl@0	885	/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
sl@0	886	* -- cc on NeXTstep/OpenStep */
sl@0	887	BIO_printf(bio_stdout,
sl@0	888	"Approximate total server time: %6.2f units\n"
sl@0	889	"Approximate total client time: %6.2f units\n",
sl@0	890	(double)s_time,
sl@0	891	(double)c_time);
sl@0	892	#endif
sl@0	893	}
sl@0	894
sl@0	895	SSL_free(s_ssl);
sl@0	896	SSL_free(c_ssl);
sl@0	897
sl@0	898	end:
sl@0	899	if (s_ctx != NULL) SSL_CTX_free(s_ctx);
sl@0	900	if (c_ctx != NULL) SSL_CTX_free(c_ctx);
sl@0	901
sl@0	902	if (bio_stdout != NULL) BIO_free(bio_stdout);
sl@0	903
sl@0	904	#ifndef OPENSSL_NO_RSA
sl@0	905	free_tmp_rsa();
sl@0	906	#endif
sl@0	907	#ifndef OPENSSL_NO_ENGINE
sl@0	908	ENGINE_cleanup();
sl@0	909	#endif
sl@0	910	CRYPTO_cleanup_all_ex_data();
sl@0	911	ERR_free_strings();
sl@0	912	ERR_remove_state(0);
sl@0	913	EVP_cleanup();
sl@0	914	CRYPTO_mem_leaks(bio_err);
sl@0	915	if (bio_err != NULL) BIO_free(bio_err);
sl@0	916	EXIT(ret);
sl@0	917	return ret;
sl@0	918	}
sl@0	919
sl@0	920	int doit_biopair(SSL s_ssl, SSL c_ssl, long count,
sl@0	921	clock_t s_time, clock_t c_time)
sl@0	922	{
sl@0	923	long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
sl@0	924	BIO s_ssl_bio = NULL, c_ssl_bio = NULL;
sl@0	925	BIO server = NULL, server_io = NULL, client = NULL, client_io = NULL;
sl@0	926	int ret = 1;
sl@0	927
sl@0	928	size_t bufsiz = 256; /* small buffer for testing */
sl@0	929
sl@0	930	if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
sl@0	931	goto err;
sl@0	932	if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
sl@0	933	goto err;
sl@0	934
sl@0	935	s_ssl_bio = BIO_new(BIO_f_ssl());
sl@0	936	if (!s_ssl_bio)
sl@0	937	goto err;
sl@0	938
sl@0	939	c_ssl_bio = BIO_new(BIO_f_ssl());
sl@0	940	if (!c_ssl_bio)
sl@0	941	goto err;
sl@0	942
sl@0	943	SSL_set_connect_state(c_ssl);
sl@0	944	SSL_set_bio(c_ssl, client, client);
sl@0	945	(void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
sl@0	946
sl@0	947	SSL_set_accept_state(s_ssl);
sl@0	948	SSL_set_bio(s_ssl, server, server);
sl@0	949	(void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
sl@0	950
sl@0	951	do
sl@0	952	{
sl@0	953	/* c_ssl_bio: SSL filter BIO
sl@0	954	*
sl@0	955	* client: pseudo-I/O for SSL library
sl@0	956	*
sl@0	957	* client_io: client's SSL communication; usually to be
sl@0	958	* relayed over some I/O facility, but in this
sl@0	959	* test program, we're the server, too:
sl@0	960	*
sl@0	961	* server_io: server's SSL communication
sl@0	962	*
sl@0	963	* server: pseudo-I/O for SSL library
sl@0	964	*
sl@0	965	* s_ssl_bio: SSL filter BIO
sl@0	966	*
sl@0	967	* The client and the server each employ a "BIO pair":
sl@0	968	* client + client_io, server + server_io.
sl@0	969	* BIO pairs are symmetric. A BIO pair behaves similar
sl@0	970	* to a non-blocking socketpair (but both endpoints must
sl@0	971	* be handled by the same thread).
sl@0	972	* [Here we could connect client and server to the ends
sl@0	973	* of a single BIO pair, but then this code would be less
sl@0	974	* suitable as an example for BIO pairs in general.]
sl@0	975	*
sl@0	976	* Useful functions for querying the state of BIO pair endpoints:
sl@0	977	*
sl@0	978	* BIO_ctrl_pending(bio) number of bytes we can read now
sl@0	979	* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
sl@0	980	* other side's read attempt
sl@0	981	* BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
sl@0	982	*
sl@0	983	* ..._read_request is never more than ..._write_guarantee;
sl@0	984	* it depends on the application which one you should use.
sl@0	985	*/
sl@0	986
sl@0	987	/* We have non-blocking behaviour throughout this test program, but
sl@0	988	* can be sure that there is some progress in each iteration; so
sl@0	989	* we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
sl@0	990	* -- we just try everything in each iteration
sl@0	991	*/
sl@0	992
sl@0	993	{
sl@0	994	/* CLIENT */
sl@0	995
sl@0	996	MS_STATIC char cbuf[1024*8];
sl@0	997	int i, r;
sl@0	998	clock_t c_clock = clock();
sl@0	999
sl@0	1000	memset(cbuf, 0, sizeof(cbuf));
sl@0	1001
sl@0	1002	if (debug)
sl@0	1003	if (SSL_in_init(c_ssl))
sl@0	1004	printf("client waiting in SSL_connect - %s\n",
sl@0	1005	SSL_state_string_long(c_ssl));
sl@0	1006
sl@0	1007	if (cw_num > 0)
sl@0	1008	{
sl@0	1009	/* Write to server. */
sl@0	1010
sl@0	1011	if (cw_num > (long)sizeof cbuf)
sl@0	1012	i = sizeof cbuf;
sl@0	1013	else
sl@0	1014	i = (int)cw_num;
sl@0	1015	r = BIO_write(c_ssl_bio, cbuf, i);
sl@0	1016	if (r < 0)
sl@0	1017	{
sl@0	1018	if (!BIO_should_retry(c_ssl_bio))
sl@0	1019	{
sl@0	1020	fprintf(stderr,"ERROR in CLIENT\n");
sl@0	1021	goto err;
sl@0	1022	}
sl@0	1023	/* BIO_should_retry(...) can just be ignored here.
sl@0	1024	* The library expects us to call BIO_write with
sl@0	1025	* the same arguments again, and that's what we will
sl@0	1026	* do in the next iteration. */
sl@0	1027	}
sl@0	1028	else if (r == 0)
sl@0	1029	{
sl@0	1030	fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
sl@0	1031	goto err;
sl@0	1032	}
sl@0	1033	else
sl@0	1034	{
sl@0	1035	if (debug)
sl@0	1036	printf("client wrote %d\n", r);
sl@0	1037	cw_num -= r;
sl@0	1038	}
sl@0	1039	}
sl@0	1040
sl@0	1041	if (cr_num > 0)
sl@0	1042	{
sl@0	1043	/* Read from server. */
sl@0	1044
sl@0	1045	r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
sl@0	1046	if (r < 0)
sl@0	1047	{
sl@0	1048	if (!BIO_should_retry(c_ssl_bio))
sl@0	1049	{
sl@0	1050	fprintf(stderr,"ERROR in CLIENT\n");
sl@0	1051	goto err;
sl@0	1052	}
sl@0	1053	/* Again, "BIO_should_retry" can be ignored. */
sl@0	1054	}
sl@0	1055	else if (r == 0)
sl@0	1056	{
sl@0	1057	fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
sl@0	1058	goto err;
sl@0	1059	}
sl@0	1060	else
sl@0	1061	{
sl@0	1062	if (debug)
sl@0	1063	printf("client read %d\n", r);
sl@0	1064	cr_num -= r;
sl@0	1065	}
sl@0	1066	}
sl@0	1067
sl@0	1068	/* c_time and s_time increments will typically be very small
sl@0	1069	* (depending on machine speed and clock tick intervals),
sl@0	1070	* but sampling over a large number of connections should
sl@0	1071	* result in fairly accurate figures. We cannot guarantee
sl@0	1072	* a lot, however -- if each connection lasts for exactly
sl@0	1073	* one clock tick, it will be counted only for the client
sl@0	1074	* or only for the server or even not at all.
sl@0	1075	*/
sl@0	1076	*c_time += (clock() - c_clock);
sl@0	1077	}
sl@0	1078
sl@0	1079	{
sl@0	1080	/* SERVER */
sl@0	1081
sl@0	1082	MS_STATIC char sbuf[1024*8];
sl@0	1083	int i, r;
sl@0	1084	clock_t s_clock = clock();
sl@0	1085
sl@0	1086	memset(sbuf, 0, sizeof(sbuf));
sl@0	1087
sl@0	1088	if (debug)
sl@0	1089	if (SSL_in_init(s_ssl))
sl@0	1090	printf("server waiting in SSL_accept - %s\n",
sl@0	1091	SSL_state_string_long(s_ssl));
sl@0	1092
sl@0	1093	if (sw_num > 0)
sl@0	1094	{
sl@0	1095	/* Write to client. */
sl@0	1096
sl@0	1097	if (sw_num > (long)sizeof sbuf)
sl@0	1098	i = sizeof sbuf;
sl@0	1099	else
sl@0	1100	i = (int)sw_num;
sl@0	1101	r = BIO_write(s_ssl_bio, sbuf, i);
sl@0	1102	if (r < 0)
sl@0	1103	{
sl@0	1104	if (!BIO_should_retry(s_ssl_bio))
sl@0	1105	{
sl@0	1106	fprintf(stderr,"ERROR in SERVER\n");
sl@0	1107	goto err;
sl@0	1108	}
sl@0	1109	/* Ignore "BIO_should_retry". */
sl@0	1110	}
sl@0	1111	else if (r == 0)
sl@0	1112	{
sl@0	1113	fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
sl@0	1114	goto err;
sl@0	1115	}
sl@0	1116	else
sl@0	1117	{
sl@0	1118	if (debug)
sl@0	1119	printf("server wrote %d\n", r);
sl@0	1120	sw_num -= r;
sl@0	1121	}
sl@0	1122	}
sl@0	1123
sl@0	1124	if (sr_num > 0)
sl@0	1125	{
sl@0	1126	/* Read from client. */
sl@0	1127
sl@0	1128	r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
sl@0	1129	if (r < 0)
sl@0	1130	{
sl@0	1131	if (!BIO_should_retry(s_ssl_bio))
sl@0	1132	{
sl@0	1133	fprintf(stderr,"ERROR in SERVER\n");
sl@0	1134	goto err;
sl@0	1135	}
sl@0	1136	/* blah, blah */
sl@0	1137	}
sl@0	1138	else if (r == 0)
sl@0	1139	{
sl@0	1140	fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
sl@0	1141	goto err;
sl@0	1142	}
sl@0	1143	else
sl@0	1144	{
sl@0	1145	if (debug)
sl@0	1146	printf("server read %d\n", r);
sl@0	1147	sr_num -= r;
sl@0	1148	}
sl@0	1149	}
sl@0	1150
sl@0	1151	*s_time += (clock() - s_clock);
sl@0	1152	}
sl@0	1153
sl@0	1154	{
sl@0	1155	/* "I/O" BETWEEN CLIENT AND SERVER. */
sl@0	1156
sl@0	1157	size_t r1, r2;
sl@0	1158	BIO io1 = server_io, io2 = client_io;
sl@0	1159	/* we use the non-copying interface for io1
sl@0	1160	* and the standard BIO_write/BIO_read interface for io2
sl@0	1161	*/
sl@0	1162
sl@0	1163	static int prev_progress = 1;
sl@0	1164	int progress = 0;
sl@0	1165
sl@0	1166	/* io1 to io2 */
sl@0	1167	do
sl@0	1168	{
sl@0	1169	size_t num;
sl@0	1170	int r;
sl@0	1171
sl@0	1172	r1 = BIO_ctrl_pending(io1);
sl@0	1173	r2 = BIO_ctrl_get_write_guarantee(io2);
sl@0	1174
sl@0	1175	num = r1;
sl@0	1176	if (r2 < num)
sl@0	1177	num = r2;
sl@0	1178	if (num)
sl@0	1179	{
sl@0	1180	char *dataptr;
sl@0	1181
sl@0	1182	if (INT_MAX < num) /* yeah, right */
sl@0	1183	num = INT_MAX;
sl@0	1184
sl@0	1185	r = BIO_nread(io1, &dataptr, (int)num);
sl@0	1186	assert(r > 0);
sl@0	1187	assert(r <= (int)num);
sl@0	1188	/* possibly r < num (non-contiguous data) */
sl@0	1189	num = r;
sl@0	1190	r = BIO_write(io2, dataptr, (int)num);
sl@0	1191	if (r != (int)num) /* can't happen */
sl@0	1192	{
sl@0	1193	fprintf(stderr, "ERROR: BIO_write could not write "
sl@0	1194	"BIO_ctrl_get_write_guarantee() bytes");
sl@0	1195	goto err;
sl@0	1196	}
sl@0	1197	progress = 1;
sl@0	1198
sl@0	1199	if (debug)
sl@0	1200	printf((io1 == client_io) ?
sl@0	1201	"C->S relaying: %d bytes\n" :
sl@0	1202	"S->C relaying: %d bytes\n",
sl@0	1203	(int)num);
sl@0	1204	}
sl@0	1205	}
sl@0	1206	while (r1 && r2);
sl@0	1207
sl@0	1208	/* io2 to io1 */
sl@0	1209	{
sl@0	1210	size_t num;
sl@0	1211	int r;
sl@0	1212
sl@0	1213	r1 = BIO_ctrl_pending(io2);
sl@0	1214	r2 = BIO_ctrl_get_read_request(io1);
sl@0	1215	/* here we could use ..._get_write_guarantee instead of
sl@0	1216	* ..._get_read_request, but by using the latter
sl@0	1217	* we test restartability of the SSL implementation
sl@0	1218	* more thoroughly */
sl@0	1219	num = r1;
sl@0	1220	if (r2 < num)
sl@0	1221	num = r2;
sl@0	1222	if (num)
sl@0	1223	{
sl@0	1224	char *dataptr;
sl@0	1225
sl@0	1226	if (INT_MAX < num)
sl@0	1227	num = INT_MAX;
sl@0	1228
sl@0	1229	if (num > 1)
sl@0	1230	--num; /* test restartability even more thoroughly */
sl@0	1231
sl@0	1232	r = BIO_nwrite0(io1, &dataptr);
sl@0	1233	assert(r > 0);
sl@0	1234	if (r < (int)num)
sl@0	1235	num = r;
sl@0	1236	r = BIO_read(io2, dataptr, (int)num);
sl@0	1237	if (r != (int)num) /* can't happen */
sl@0	1238	{
sl@0	1239	fprintf(stderr, "ERROR: BIO_read could not read "
sl@0	1240	"BIO_ctrl_pending() bytes");
sl@0	1241	goto err;
sl@0	1242	}
sl@0	1243	progress = 1;
sl@0	1244	r = BIO_nwrite(io1, &dataptr, (int)num);
sl@0	1245	if (r != (int)num) /* can't happen */
sl@0	1246	{
sl@0	1247	fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
sl@0	1248	"BIO_nwrite0() bytes");
sl@0	1249	goto err;
sl@0	1250	}
sl@0	1251
sl@0	1252	if (debug)
sl@0	1253	printf((io2 == client_io) ?
sl@0	1254	"C->S relaying: %d bytes\n" :
sl@0	1255	"S->C relaying: %d bytes\n",
sl@0	1256	(int)num);
sl@0	1257	}
sl@0	1258	} /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
sl@0	1259
sl@0	1260	if (!progress && !prev_progress)
sl@0	1261	if (cw_num > 0 \|\| cr_num > 0 \|\| sw_num > 0 \|\| sr_num > 0)
sl@0	1262	{
sl@0	1263	fprintf(stderr, "ERROR: got stuck\n");
sl@0	1264	if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
sl@0	1265	{
sl@0	1266	fprintf(stderr, "This can happen for SSL2 because "
sl@0	1267	"CLIENT-FINISHED and SERVER-VERIFY are written \n"
sl@0	1268	"concurrently ...");
sl@0	1269	if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
sl@0	1270	&& strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
sl@0	1271	{
sl@0	1272	fprintf(stderr, " ok.\n");
sl@0	1273	goto end;
sl@0	1274	}
sl@0	1275	}
sl@0	1276	fprintf(stderr, " ERROR.\n");
sl@0	1277	goto err;
sl@0	1278	}
sl@0	1279	prev_progress = progress;
sl@0	1280	}
sl@0	1281	}
sl@0	1282	while (cw_num > 0 \|\| cr_num > 0 \|\| sw_num > 0 \|\| sr_num > 0);
sl@0	1283
sl@0	1284	if (verbose)
sl@0	1285	print_details(c_ssl, "DONE via BIO pair: ");
sl@0	1286	end:
sl@0	1287	ret = 0;
sl@0	1288
sl@0	1289	err:
sl@0	1290	ERR_print_errors(bio_err);
sl@0	1291
sl@0	1292	if (server)
sl@0	1293	BIO_free(server);
sl@0	1294	if (server_io)
sl@0	1295	BIO_free(server_io);
sl@0	1296	if (client)
sl@0	1297	BIO_free(client);
sl@0	1298	if (client_io)
sl@0	1299	BIO_free(client_io);
sl@0	1300	if (s_ssl_bio)
sl@0	1301	BIO_free(s_ssl_bio);
sl@0	1302	if (c_ssl_bio)
sl@0	1303	BIO_free(c_ssl_bio);
sl@0	1304
sl@0	1305	return ret;
sl@0	1306	}
sl@0	1307
sl@0	1308
sl@0	1309	#define W_READ 1
sl@0	1310	#define W_WRITE 2
sl@0	1311	#define C_DONE 1
sl@0	1312	#define S_DONE 2
sl@0	1313
sl@0	1314	int doit(SSL s_ssl, SSL c_ssl, long count)
sl@0	1315	{
sl@0	1316	MS_STATIC char cbuf[10248],sbuf[10248];
sl@0	1317	long cw_num=count,cr_num=count;
sl@0	1318	long sw_num=count,sr_num=count;
sl@0	1319	int ret=1;
sl@0	1320	BIO *c_to_s=NULL;
sl@0	1321	BIO *s_to_c=NULL;
sl@0	1322	BIO *c_bio=NULL;
sl@0	1323	BIO *s_bio=NULL;
sl@0	1324	int c_r,c_w,s_r,s_w;
sl@0	1325	int c_want,s_want;
sl@0	1326	int i,j;
sl@0	1327	int done=0;
sl@0	1328	int c_write,s_write;
sl@0	1329	int do_server=0,do_client=0;
sl@0	1330
sl@0	1331	memset(cbuf,0,sizeof(cbuf));
sl@0	1332	memset(sbuf,0,sizeof(sbuf));
sl@0	1333
sl@0	1334	c_to_s=BIO_new(BIO_s_mem());
sl@0	1335	s_to_c=BIO_new(BIO_s_mem());
sl@0	1336	if ((s_to_c == NULL) \|\| (c_to_s == NULL))
sl@0	1337	{
sl@0	1338	ERR_print_errors(bio_err);
sl@0	1339	goto err;
sl@0	1340	}
sl@0	1341
sl@0	1342	c_bio=BIO_new(BIO_f_ssl());
sl@0	1343	s_bio=BIO_new(BIO_f_ssl());
sl@0	1344	if ((c_bio == NULL) \|\| (s_bio == NULL))
sl@0	1345	{
sl@0	1346	ERR_print_errors(bio_err);
sl@0	1347	goto err;
sl@0	1348	}
sl@0	1349
sl@0	1350	SSL_set_connect_state(c_ssl);
sl@0	1351	SSL_set_bio(c_ssl,s_to_c,c_to_s);
sl@0	1352	BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
sl@0	1353
sl@0	1354	SSL_set_accept_state(s_ssl);
sl@0	1355	SSL_set_bio(s_ssl,c_to_s,s_to_c);
sl@0	1356	BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
sl@0	1357
sl@0	1358	c_r=0; s_r=1;
sl@0	1359	c_w=1; s_w=0;
sl@0	1360	c_want=W_WRITE;
sl@0	1361	s_want=0;
sl@0	1362	c_write=1,s_write=0;
sl@0	1363
sl@0	1364	/* We can always do writes */
sl@0	1365	for (;;)
sl@0	1366	{
sl@0	1367	do_server=0;
sl@0	1368	do_client=0;
sl@0	1369
sl@0	1370	i=(int)BIO_pending(s_bio);
sl@0	1371	if ((i && s_r) \|\| s_w) do_server=1;
sl@0	1372
sl@0	1373	i=(int)BIO_pending(c_bio);
sl@0	1374	if ((i && c_r) \|\| c_w) do_client=1;
sl@0	1375
sl@0	1376	if (do_server && debug)
sl@0	1377	{
sl@0	1378	if (SSL_in_init(s_ssl))
sl@0	1379	printf("server waiting in SSL_accept - %s\n",
sl@0	1380	SSL_state_string_long(s_ssl));
sl@0	1381	/* else if (s_write)
sl@0	1382	printf("server:SSL_write()\n");
sl@0	1383	else
sl@0	1384	printf("server:SSL_read()\n"); */
sl@0	1385	}
sl@0	1386
sl@0	1387	if (do_client && debug)
sl@0	1388	{
sl@0	1389	if (SSL_in_init(c_ssl))
sl@0	1390	printf("client waiting in SSL_connect - %s\n",
sl@0	1391	SSL_state_string_long(c_ssl));
sl@0	1392	/* else if (c_write)
sl@0	1393	printf("client:SSL_write()\n");
sl@0	1394	else
sl@0	1395	printf("client:SSL_read()\n"); */
sl@0	1396	}
sl@0	1397
sl@0	1398	if (!do_client && !do_server)
sl@0	1399	{
sl@0	1400	fprintf(stdout,"ERROR IN STARTUP\n");
sl@0	1401	ERR_print_errors(bio_err);
sl@0	1402	break;
sl@0	1403	}
sl@0	1404	if (do_client && !(done & C_DONE))
sl@0	1405	{
sl@0	1406	if (c_write)
sl@0	1407	{
sl@0	1408	j = (cw_num > (long)sizeof(cbuf)) ?
sl@0	1409	(int)sizeof(cbuf) : (int)cw_num;
sl@0	1410	i=BIO_write(c_bio,cbuf,j);
sl@0	1411	if (i < 0)
sl@0	1412	{
sl@0	1413	c_r=0;
sl@0	1414	c_w=0;
sl@0	1415	if (BIO_should_retry(c_bio))
sl@0	1416	{
sl@0	1417	if (BIO_should_read(c_bio))
sl@0	1418	c_r=1;
sl@0	1419	if (BIO_should_write(c_bio))
sl@0	1420	c_w=1;
sl@0	1421	}
sl@0	1422	else
sl@0	1423	{
sl@0	1424	fprintf(stderr,"ERROR in CLIENT\n");
sl@0	1425	ERR_print_errors(bio_err);
sl@0	1426	goto err;
sl@0	1427	}
sl@0	1428	}
sl@0	1429	else if (i == 0)
sl@0	1430	{
sl@0	1431	fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
sl@0	1432	goto err;
sl@0	1433	}
sl@0	1434	else
sl@0	1435	{
sl@0	1436	if (debug)
sl@0	1437	printf("client wrote %d\n",i);
sl@0	1438	/* ok */
sl@0	1439	s_r=1;
sl@0	1440	c_write=0;
sl@0	1441	cw_num-=i;
sl@0	1442	}
sl@0	1443	}
sl@0	1444	else
sl@0	1445	{
sl@0	1446	i=BIO_read(c_bio,cbuf,sizeof(cbuf));
sl@0	1447	if (i < 0)
sl@0	1448	{
sl@0	1449	c_r=0;
sl@0	1450	c_w=0;
sl@0	1451	if (BIO_should_retry(c_bio))
sl@0	1452	{
sl@0	1453	if (BIO_should_read(c_bio))
sl@0	1454	c_r=1;
sl@0	1455	if (BIO_should_write(c_bio))
sl@0	1456	c_w=1;
sl@0	1457	}
sl@0	1458	else
sl@0	1459	{
sl@0	1460	fprintf(stderr,"ERROR in CLIENT\n");
sl@0	1461	ERR_print_errors(bio_err);
sl@0	1462	goto err;
sl@0	1463	}
sl@0	1464	}
sl@0	1465	else if (i == 0)
sl@0	1466	{
sl@0	1467	fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
sl@0	1468	goto err;
sl@0	1469	}
sl@0	1470	else
sl@0	1471	{
sl@0	1472	if (debug)
sl@0	1473	printf("client read %d\n",i);
sl@0	1474	cr_num-=i;
sl@0	1475	if (sw_num > 0)
sl@0	1476	{
sl@0	1477	s_write=1;
sl@0	1478	s_w=1;
sl@0	1479	}
sl@0	1480	if (cr_num <= 0)
sl@0	1481	{
sl@0	1482	s_write=1;
sl@0	1483	s_w=1;
sl@0	1484	done=S_DONE\|C_DONE;
sl@0	1485	}
sl@0	1486	}
sl@0	1487	}
sl@0	1488	}
sl@0	1489
sl@0	1490	if (do_server && !(done & S_DONE))
sl@0	1491	{
sl@0	1492	if (!s_write)
sl@0	1493	{
sl@0	1494	i=BIO_read(s_bio,sbuf,sizeof(cbuf));
sl@0	1495	if (i < 0)
sl@0	1496	{
sl@0	1497	s_r=0;
sl@0	1498	s_w=0;
sl@0	1499	if (BIO_should_retry(s_bio))
sl@0	1500	{
sl@0	1501	if (BIO_should_read(s_bio))
sl@0	1502	s_r=1;
sl@0	1503	if (BIO_should_write(s_bio))
sl@0	1504	s_w=1;
sl@0	1505	}
sl@0	1506	else
sl@0	1507	{
sl@0	1508	fprintf(stderr,"ERROR in SERVER\n");
sl@0	1509	ERR_print_errors(bio_err);
sl@0	1510	goto err;
sl@0	1511	}
sl@0	1512	}
sl@0	1513	else if (i == 0)
sl@0	1514	{
sl@0	1515	ERR_print_errors(bio_err);
sl@0	1516	fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
sl@0	1517	goto err;
sl@0	1518	}
sl@0	1519	else
sl@0	1520	{
sl@0	1521	if (debug)
sl@0	1522	printf("server read %d\n",i);
sl@0	1523	sr_num-=i;
sl@0	1524	if (cw_num > 0)
sl@0	1525	{
sl@0	1526	c_write=1;
sl@0	1527	c_w=1;
sl@0	1528	}
sl@0	1529	if (sr_num <= 0)
sl@0	1530	{
sl@0	1531	s_write=1;
sl@0	1532	s_w=1;
sl@0	1533	c_write=0;
sl@0	1534	}
sl@0	1535	}
sl@0	1536	}
sl@0	1537	else
sl@0	1538	{
sl@0	1539	j = (sw_num > (long)sizeof(sbuf)) ?
sl@0	1540	(int)sizeof(sbuf) : (int)sw_num;
sl@0	1541	i=BIO_write(s_bio,sbuf,j);
sl@0	1542	if (i < 0)
sl@0	1543	{
sl@0	1544	s_r=0;
sl@0	1545	s_w=0;
sl@0	1546	if (BIO_should_retry(s_bio))
sl@0	1547	{
sl@0	1548	if (BIO_should_read(s_bio))
sl@0	1549	s_r=1;
sl@0	1550	if (BIO_should_write(s_bio))
sl@0	1551	s_w=1;
sl@0	1552	}
sl@0	1553	else
sl@0	1554	{
sl@0	1555	fprintf(stderr,"ERROR in SERVER\n");
sl@0	1556	ERR_print_errors(bio_err);
sl@0	1557	goto err;
sl@0	1558	}
sl@0	1559	}
sl@0	1560	else if (i == 0)
sl@0	1561	{
sl@0	1562	ERR_print_errors(bio_err);
sl@0	1563	fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
sl@0	1564	goto err;
sl@0	1565	}
sl@0	1566	else
sl@0	1567	{
sl@0	1568	if (debug)
sl@0	1569	printf("server wrote %d\n",i);
sl@0	1570	sw_num-=i;
sl@0	1571	s_write=0;
sl@0	1572	c_r=1;
sl@0	1573	if (sw_num <= 0)
sl@0	1574	done\|=S_DONE;
sl@0	1575	}
sl@0	1576	}
sl@0	1577	}
sl@0	1578
sl@0	1579	if ((done & S_DONE) && (done & C_DONE)) break;
sl@0	1580	}
sl@0	1581
sl@0	1582	if (verbose)
sl@0	1583	print_details(c_ssl, "DONE: ");
sl@0	1584	ret=0;
sl@0	1585	err:
sl@0	1586	/* We have to set the BIO's to NULL otherwise they will be
sl@0	1587	* OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
sl@0	1588	* again when c_ssl is SSL_free()ed.
sl@0	1589	* This is a hack required because s_ssl and c_ssl are sharing the same
sl@0	1590	* BIO structure and SSL_set_bio() and SSL_free() automatically
sl@0	1591	* BIO_free non NULL entries.
sl@0	1592	* You should not normally do this or be required to do this */
sl@0	1593	if (s_ssl != NULL)
sl@0	1594	{
sl@0	1595	s_ssl->rbio=NULL;
sl@0	1596	s_ssl->wbio=NULL;
sl@0	1597	}
sl@0	1598	if (c_ssl != NULL)
sl@0	1599	{
sl@0	1600	c_ssl->rbio=NULL;
sl@0	1601	c_ssl->wbio=NULL;
sl@0	1602	}
sl@0	1603
sl@0	1604	if (c_to_s != NULL) BIO_free(c_to_s);
sl@0	1605	if (s_to_c != NULL) BIO_free(s_to_c);
sl@0	1606	if (c_bio != NULL) BIO_free_all(c_bio);
sl@0	1607	if (s_bio != NULL) BIO_free_all(s_bio);
sl@0	1608	return(ret);
sl@0	1609	}
sl@0	1610
sl@0	1611	static int get_proxy_auth_ex_data_idx(void)
sl@0	1612	{
sl@0	1613	static volatile int idx = -1;
sl@0	1614	if (idx < 0)
sl@0	1615	{
sl@0	1616	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
sl@0	1617	if (idx < 0)
sl@0	1618	{
sl@0	1619	idx = X509_STORE_CTX_get_ex_new_index(0,
sl@0	1620	"SSLtest for verify callback", NULL,NULL,NULL);
sl@0	1621	}
sl@0	1622	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
sl@0	1623	}
sl@0	1624	return idx;
sl@0	1625	}
sl@0	1626
sl@0	1627	static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
sl@0	1628	{
sl@0	1629	char *s,buf[256];
sl@0	1630
sl@0	1631	s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
sl@0	1632	sizeof buf);
sl@0	1633	if (s != NULL)
sl@0	1634	{
sl@0	1635	if (ok)
sl@0	1636	fprintf(stderr,"depth=%d %s\n",
sl@0	1637	ctx->error_depth,buf);
sl@0	1638	else
sl@0	1639	{
sl@0	1640	fprintf(stderr,"depth=%d error=%d %s\n",
sl@0	1641	ctx->error_depth,ctx->error,buf);
sl@0	1642	}
sl@0	1643	}
sl@0	1644
sl@0	1645	if (ok == 0)
sl@0	1646	{
sl@0	1647	fprintf(stderr,"Error string: %s\n",
sl@0	1648	X509_verify_cert_error_string(ctx->error));
sl@0	1649	switch (ctx->error)
sl@0	1650	{
sl@0	1651	case X509_V_ERR_CERT_NOT_YET_VALID:
sl@0	1652	case X509_V_ERR_CERT_HAS_EXPIRED:
sl@0	1653	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
sl@0	1654	fprintf(stderr," ... ignored.\n");
sl@0	1655	ok=1;
sl@0	1656	}
sl@0	1657	}
sl@0	1658
sl@0	1659	if (ok == 1)
sl@0	1660	{
sl@0	1661	X509 *xs = ctx->current_cert;
sl@0	1662	#if 0
sl@0	1663	X509 *xi = ctx->current_issuer;
sl@0	1664	#endif
sl@0	1665
sl@0	1666	if (xs->ex_flags & EXFLAG_PROXY)
sl@0	1667	{
sl@0	1668	unsigned int *letters =
sl@0	1669	X509_STORE_CTX_get_ex_data(ctx,
sl@0	1670	get_proxy_auth_ex_data_idx());
sl@0	1671
sl@0	1672	if (letters)
sl@0	1673	{
sl@0	1674	int found_any = 0;
sl@0	1675	int i;
sl@0	1676	PROXY_CERT_INFO_EXTENSION *pci =
sl@0	1677	X509_get_ext_d2i(xs, NID_proxyCertInfo,
sl@0	1678	NULL, NULL);
sl@0	1679
sl@0	1680	switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
sl@0	1681	{
sl@0	1682	case NID_Independent:
sl@0	1683	/* Completely meaningless in this
sl@0	1684	program, as there's no way to
sl@0	1685	grant explicit rights to a
sl@0	1686	specific PrC. Basically, using
sl@0	1687	id-ppl-Independent is the perfect
sl@0	1688	way to grant no rights at all. */
sl@0	1689	fprintf(stderr, " Independent proxy certificate");
sl@0	1690	for (i = 0; i < 26; i++)
sl@0	1691	letters[i] = 0;
sl@0	1692	break;
sl@0	1693	case NID_id_ppl_inheritAll:
sl@0	1694	/* This is basically a NOP, we
sl@0	1695	simply let the current rights
sl@0	1696	stand as they are. */
sl@0	1697	fprintf(stderr, " Proxy certificate inherits all");
sl@0	1698	break;
sl@0	1699	default:
sl@0	1700	s = (char *)
sl@0	1701	pci->proxyPolicy->policy->data;
sl@0	1702	i = pci->proxyPolicy->policy->length;
sl@0	1703
sl@0	1704	/* The algorithm works as follows:
sl@0	1705	it is assumed that previous
sl@0	1706	iterations or the initial granted
sl@0	1707	rights has already set some elements
sl@0	1708	of `letters'. What we need to do is
sl@0	1709	to clear those that weren't granted
sl@0	1710	by the current PrC as well. The
sl@0	1711	easiest way to do this is to add 1
sl@0	1712	to all the elements whose letters
sl@0	1713	are given with the current policy.
sl@0	1714	That way, all elements that are set
sl@0	1715	by the current policy and were
sl@0	1716	already set by earlier policies and
sl@0	1717	through the original grant of rights
sl@0	1718	will get the value 2 or higher.
sl@0	1719	The last thing to do is to sweep
sl@0	1720	through `letters' and keep the
sl@0	1721	elements having the value 2 as set,
sl@0	1722	and clear all the others. */
sl@0	1723
sl@0	1724	fprintf(stderr, " Certificate proxy rights = %.s", i, i, s);
sl@0	1725	while(i-- > 0)
sl@0	1726	{
sl@0	1727	int c = *s++;
sl@0	1728	if (isascii(c) && isalpha(c))
sl@0	1729	{
sl@0	1730	if (islower(c))
sl@0	1731	c = toupper(c);
sl@0	1732	letters[c - 'A']++;
sl@0	1733	}
sl@0	1734	}
sl@0	1735	for (i = 0; i < 26; i++)
sl@0	1736	if (letters[i] < 2)
sl@0	1737	letters[i] = 0;
sl@0	1738	else
sl@0	1739	letters[i] = 1;
sl@0	1740	}
sl@0	1741
sl@0	1742	found_any = 0;
sl@0	1743	fprintf(stderr,
sl@0	1744	", resulting proxy rights = ");
sl@0	1745	for(i = 0; i < 26; i++)
sl@0	1746	if (letters[i])
sl@0	1747	{
sl@0	1748	fprintf(stderr, "%c", i + 'A');
sl@0	1749	found_any = 1;
sl@0	1750	}
sl@0	1751	if (!found_any)
sl@0	1752	fprintf(stderr, "none");
sl@0	1753	fprintf(stderr, "\n");
sl@0	1754
sl@0	1755	PROXY_CERT_INFO_EXTENSION_free(pci);
sl@0	1756	}
sl@0	1757	}
sl@0	1758	}
sl@0	1759
sl@0	1760	return(ok);
sl@0	1761	}
sl@0	1762
sl@0	1763	static void process_proxy_debug(int indent, const char *format, ...)
sl@0	1764	{
sl@0	1765	static const char indentation[] =
sl@0	1766	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
sl@0	1767	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
sl@0	1768	char my_format[256];
sl@0	1769	va_list args;
sl@0	1770
sl@0	1771	BIO_snprintf(my_format, sizeof(my_format), "%.s %s",
sl@0	1772	indent, indent, indentation, format);
sl@0	1773
sl@0	1774	va_start(args, format);
sl@0	1775	vfprintf(stderr, my_format, args);
sl@0	1776	va_end(args);
sl@0	1777	}
sl@0	1778	/* Priority levels:
sl@0	1779	0 [!]var, ()
sl@0	1780	1 & ^
sl@0	1781	2 \|
sl@0	1782	*/
sl@0	1783	static int process_proxy_cond_adders(unsigned int letters[26],
sl@0	1784	const char cond, const char cond_end, int pos, int indent);
sl@0	1785	static int process_proxy_cond_val(unsigned int letters[26],
sl@0	1786	const char cond, const char cond_end, int pos, int indent)
sl@0	1787	{
sl@0	1788	int c;
sl@0	1789	int ok = 1;
sl@0	1790	int negate = 0;
sl@0	1791
sl@0	1792	while(isspace((int)*cond))
sl@0	1793	{
sl@0	1794	cond++; (*pos)++;
sl@0	1795	}
sl@0	1796	c = *cond;
sl@0	1797
sl@0	1798	if (debug)
sl@0	1799	process_proxy_debug(indent,
sl@0	1800	"Start process_proxy_cond_val at position %d: %s\n",
sl@0	1801	*pos, cond);
sl@0	1802
sl@0	1803	while(c == '!')
sl@0	1804	{
sl@0	1805	negate = !negate;
sl@0	1806	cond++; (*pos)++;
sl@0	1807	while(isspace((int)*cond))
sl@0	1808	{
sl@0	1809	cond++; (*pos)++;
sl@0	1810	}
sl@0	1811	c = *cond;
sl@0	1812	}
sl@0	1813
sl@0	1814	if (c == '(')
sl@0	1815	{
sl@0	1816	cond++; (*pos)++;
sl@0	1817	ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
sl@0	1818	indent + 1);
sl@0	1819	cond = *cond_end;
sl@0	1820	if (ok < 0)
sl@0	1821	goto end;
sl@0	1822	while(isspace((int)*cond))
sl@0	1823	{
sl@0	1824	cond++; (*pos)++;
sl@0	1825	}
sl@0	1826	c = *cond;
sl@0	1827	if (c != ')')
sl@0	1828	{
sl@0	1829	fprintf(stderr,
sl@0	1830	"Weird condition character in position %d: "
sl@0	1831	"%c\n", *pos, c);
sl@0	1832	ok = -1;
sl@0	1833	goto end;
sl@0	1834	}
sl@0	1835	cond++; (*pos)++;
sl@0	1836	}
sl@0	1837	else if (isascii(c) && isalpha(c))
sl@0	1838	{
sl@0	1839	if (islower(c))
sl@0	1840	c = toupper(c);
sl@0	1841	ok = letters[c - 'A'];
sl@0	1842	cond++; (*pos)++;
sl@0	1843	}
sl@0	1844	else
sl@0	1845	{
sl@0	1846	fprintf(stderr,
sl@0	1847	"Weird condition character in position %d: "
sl@0	1848	"%c\n", *pos, c);
sl@0	1849	ok = -1;
sl@0	1850	goto end;
sl@0	1851	}
sl@0	1852	end:
sl@0	1853	*cond_end = cond;
sl@0	1854	if (ok >= 0 && negate)
sl@0	1855	ok = !ok;
sl@0	1856
sl@0	1857	if (debug)
sl@0	1858	process_proxy_debug(indent,
sl@0	1859	"End process_proxy_cond_val at position %d: %s, returning %d\n",
sl@0	1860	*pos, cond, ok);
sl@0	1861
sl@0	1862	return ok;
sl@0	1863	}
sl@0	1864	static int process_proxy_cond_multipliers(unsigned int letters[26],
sl@0	1865	const char cond, const char cond_end, int pos, int indent)
sl@0	1866	{
sl@0	1867	int ok;
sl@0	1868	char c;
sl@0	1869
sl@0	1870	if (debug)
sl@0	1871	process_proxy_debug(indent,
sl@0	1872	"Start process_proxy_cond_multipliers at position %d: %s\n",
sl@0	1873	*pos, cond);
sl@0	1874
sl@0	1875	ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
sl@0	1876	cond = *cond_end;
sl@0	1877	if (ok < 0)
sl@0	1878	goto end;
sl@0	1879
sl@0	1880	while(ok >= 0)
sl@0	1881	{
sl@0	1882	while(isspace((int)*cond))
sl@0	1883	{
sl@0	1884	cond++; (*pos)++;
sl@0	1885	}
sl@0	1886	c = *cond;
sl@0	1887
sl@0	1888	switch(c)
sl@0	1889	{
sl@0	1890	case '&':
sl@0	1891	case '^':
sl@0	1892	{
sl@0	1893	int save_ok = ok;
sl@0	1894
sl@0	1895	cond++; (*pos)++;
sl@0	1896	ok = process_proxy_cond_val(letters,
sl@0	1897	cond, cond_end, pos, indent + 1);
sl@0	1898	cond = *cond_end;
sl@0	1899	if (ok < 0)
sl@0	1900	break;
sl@0	1901
sl@0	1902	switch(c)
sl@0	1903	{
sl@0	1904	case '&':
sl@0	1905	ok &= save_ok;
sl@0	1906	break;
sl@0	1907	case '^':
sl@0	1908	ok ^= save_ok;
sl@0	1909	break;
sl@0	1910	default:
sl@0	1911	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
sl@0	1912	" STOPPING\n");
sl@0	1913	EXIT(1);
sl@0	1914	}
sl@0	1915	}
sl@0	1916	break;
sl@0	1917	default:
sl@0	1918	goto end;
sl@0	1919	}
sl@0	1920	}
sl@0	1921	end:
sl@0	1922	if (debug)
sl@0	1923	process_proxy_debug(indent,
sl@0	1924	"End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
sl@0	1925	*pos, cond, ok);
sl@0	1926
sl@0	1927	*cond_end = cond;
sl@0	1928	return ok;
sl@0	1929	}
sl@0	1930	static int process_proxy_cond_adders(unsigned int letters[26],
sl@0	1931	const char cond, const char cond_end, int pos, int indent)
sl@0	1932	{
sl@0	1933	int ok;
sl@0	1934	char c;
sl@0	1935
sl@0	1936	if (debug)
sl@0	1937	process_proxy_debug(indent,
sl@0	1938	"Start process_proxy_cond_adders at position %d: %s\n",
sl@0	1939	*pos, cond);
sl@0	1940
sl@0	1941	ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
sl@0	1942	indent + 1);
sl@0	1943	cond = *cond_end;
sl@0	1944	if (ok < 0)
sl@0	1945	goto end;
sl@0	1946
sl@0	1947	while(ok >= 0)
sl@0	1948	{
sl@0	1949	while(isspace((int)*cond))
sl@0	1950	{
sl@0	1951	cond++; (*pos)++;
sl@0	1952	}
sl@0	1953	c = *cond;
sl@0	1954
sl@0	1955	switch(c)
sl@0	1956	{
sl@0	1957	case '\|':
sl@0	1958	{
sl@0	1959	int save_ok = ok;
sl@0	1960
sl@0	1961	cond++; (*pos)++;
sl@0	1962	ok = process_proxy_cond_multipliers(letters,
sl@0	1963	cond, cond_end, pos, indent + 1);
sl@0	1964	cond = *cond_end;
sl@0	1965	if (ok < 0)
sl@0	1966	break;
sl@0	1967
sl@0	1968	switch(c)
sl@0	1969	{
sl@0	1970	case '\|':
sl@0	1971	ok \|= save_ok;
sl@0	1972	break;
sl@0	1973	default:
sl@0	1974	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
sl@0	1975	" STOPPING\n");
sl@0	1976	EXIT(1);
sl@0	1977	}
sl@0	1978	}
sl@0	1979	break;
sl@0	1980	default:
sl@0	1981	goto end;
sl@0	1982	}
sl@0	1983	}
sl@0	1984	end:
sl@0	1985	if (debug)
sl@0	1986	process_proxy_debug(indent,
sl@0	1987	"End process_proxy_cond_adders at position %d: %s, returning %d\n",
sl@0	1988	*pos, cond, ok);
sl@0	1989
sl@0	1990	*cond_end = cond;
sl@0	1991	return ok;
sl@0	1992	}
sl@0	1993
sl@0	1994	static int process_proxy_cond(unsigned int letters[26],
sl@0	1995	const char cond, const char *cond_end)
sl@0	1996	{
sl@0	1997	int pos = 1;
sl@0	1998	return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
sl@0	1999	}
sl@0	2000
sl@0	2001	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
sl@0	2002	{
sl@0	2003	int ok=1;
sl@0	2004	struct app_verify_arg *cb_arg = arg;
sl@0	2005	unsigned int letters[26]; /* only used with proxy_auth */
sl@0	2006
sl@0	2007	if (cb_arg->app_verify)
sl@0	2008	{
sl@0	2009	char *s = NULL,buf[256];
sl@0	2010
sl@0	2011	fprintf(stderr, "In app_verify_callback, allowing cert. ");
sl@0	2012	fprintf(stderr, "Arg is: %s\n", cb_arg->string);
sl@0	2013	fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
sl@0	2014	(void )ctx, (void )ctx->cert);
sl@0	2015	if (ctx->cert)
sl@0	2016	s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
sl@0	2017	if (s != NULL)
sl@0	2018	{
sl@0	2019	fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
sl@0	2020	}
sl@0	2021	return(1);
sl@0	2022	}
sl@0	2023	if (cb_arg->proxy_auth)
sl@0	2024	{
sl@0	2025	int found_any = 0, i;
sl@0	2026	char *sp;
sl@0	2027
sl@0	2028	for(i = 0; i < 26; i++)
sl@0	2029	letters[i] = 0;
sl@0	2030	for(sp = cb_arg->proxy_auth; *sp; sp++)
sl@0	2031	{
sl@0	2032	int c = *sp;
sl@0	2033	if (isascii(c) && isalpha(c))
sl@0	2034	{
sl@0	2035	if (islower(c))
sl@0	2036	c = toupper(c);
sl@0	2037	letters[c - 'A'] = 1;
sl@0	2038	}
sl@0	2039	}
sl@0	2040
sl@0	2041	fprintf(stderr,
sl@0	2042	" Initial proxy rights = ");
sl@0	2043	for(i = 0; i < 26; i++)
sl@0	2044	if (letters[i])
sl@0	2045	{
sl@0	2046	fprintf(stderr, "%c", i + 'A');
sl@0	2047	found_any = 1;
sl@0	2048	}
sl@0	2049	if (!found_any)
sl@0	2050	fprintf(stderr, "none");
sl@0	2051	fprintf(stderr, "\n");
sl@0	2052
sl@0	2053	X509_STORE_CTX_set_ex_data(ctx,
sl@0	2054	get_proxy_auth_ex_data_idx(),letters);
sl@0	2055	}
sl@0	2056	if (cb_arg->allow_proxy_certs)
sl@0	2057	{
sl@0	2058	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
sl@0	2059	}
sl@0	2060
sl@0	2061	#ifndef OPENSSL_NO_X509_VERIFY
sl@0	2062	# ifdef OPENSSL_FIPS
sl@0	2063	if(s->version == TLS1_VERSION)
sl@0	2064	FIPS_allow_md5(1);
sl@0	2065	# endif
sl@0	2066	ok = X509_verify_cert(ctx);
sl@0	2067	# ifdef OPENSSL_FIPS
sl@0	2068	if(s->version == TLS1_VERSION)
sl@0	2069	FIPS_allow_md5(0);
sl@0	2070	# endif
sl@0	2071	#endif
sl@0	2072
sl@0	2073	if (cb_arg->proxy_auth)
sl@0	2074	{
sl@0	2075	if (ok)
sl@0	2076	{
sl@0	2077	const char *cond_end = NULL;
sl@0	2078
sl@0	2079	ok = process_proxy_cond(letters,
sl@0	2080	cb_arg->proxy_cond, &cond_end);
sl@0	2081
sl@0	2082	if (ok < 0)
sl@0	2083	EXIT(3);
sl@0	2084	if (*cond_end)
sl@0	2085	{
sl@0	2086	fprintf(stderr, "Stopped processing condition before it's end.\n");
sl@0	2087	ok = 0;
sl@0	2088	}
sl@0	2089	if (!ok)
sl@0	2090	fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
sl@0	2091	cb_arg->proxy_cond);
sl@0	2092	else
sl@0	2093	fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
sl@0	2094	cb_arg->proxy_cond);
sl@0	2095	}
sl@0	2096	}
sl@0	2097	return(ok);
sl@0	2098	}
sl@0	2099
sl@0	2100	#ifndef OPENSSL_NO_RSA
sl@0	2101	static RSA *rsa_tmp=NULL;
sl@0	2102
sl@0	2103	static RSA MS_CALLBACK tmp_rsa_cb(SSL s, int is_export, int keylength)
sl@0	2104	{
sl@0	2105	BIGNUM *bn = NULL;
sl@0	2106	if (rsa_tmp == NULL)
sl@0	2107	{
sl@0	2108	bn = BN_new();
sl@0	2109	rsa_tmp = RSA_new();
sl@0	2110	if(!bn \|\| !rsa_tmp \|\| !BN_set_word(bn, RSA_F4))
sl@0	2111	{
sl@0	2112	BIO_printf(bio_err, "Memory error...");
sl@0	2113	goto end;
sl@0	2114	}
sl@0	2115	BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
sl@0	2116	(void)BIO_flush(bio_err);
sl@0	2117	if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
sl@0	2118	{
sl@0	2119	BIO_printf(bio_err, "Error generating key.");
sl@0	2120	RSA_free(rsa_tmp);
sl@0	2121	rsa_tmp = NULL;
sl@0	2122	}
sl@0	2123	end:
sl@0	2124	BIO_printf(bio_err,"\n");
sl@0	2125	(void)BIO_flush(bio_err);
sl@0	2126	}
sl@0	2127	if(bn) BN_free(bn);
sl@0	2128	return(rsa_tmp);
sl@0	2129	}
sl@0	2130
sl@0	2131	static void free_tmp_rsa(void)
sl@0	2132	{
sl@0	2133	if (rsa_tmp != NULL)
sl@0	2134	{
sl@0	2135	RSA_free(rsa_tmp);
sl@0	2136	rsa_tmp = NULL;
sl@0	2137	}
sl@0	2138	}
sl@0	2139	#endif
sl@0	2140
sl@0	2141	#ifndef OPENSSL_NO_DH
sl@0	2142	/* These DH parameters have been generated as follows:
sl@0	2143	* $ openssl dhparam -C -noout 512
sl@0	2144	* $ openssl dhparam -C -noout 1024
sl@0	2145	* $ openssl dhparam -C -noout -dsaparam 1024
sl@0	2146	* (The third function has been renamed to avoid name conflicts.)
sl@0	2147	*/
sl@0	2148	static DH *get_dh512()
sl@0	2149	{
sl@0	2150	static unsigned char dh512_p[]={
sl@0	2151	0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
sl@0	2152	0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
sl@0	2153	0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
sl@0	2154	0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
sl@0	2155	0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
sl@0	2156	0x02,0xC5,0xAE,0x23,
sl@0	2157	};
sl@0	2158	static unsigned char dh512_g[]={
sl@0	2159	0x02,
sl@0	2160	};
sl@0	2161	DH *dh;
sl@0	2162
sl@0	2163	if ((dh=DH_new()) == NULL) return(NULL);
sl@0	2164	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
sl@0	2165	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
sl@0	2166	if ((dh->p == NULL) \|\| (dh->g == NULL))
sl@0	2167	{ DH_free(dh); return(NULL); }
sl@0	2168	return(dh);
sl@0	2169	}
sl@0	2170
sl@0	2171	static DH *get_dh1024()
sl@0	2172	{
sl@0	2173	static unsigned char dh1024_p[]={
sl@0	2174	0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
sl@0	2175	0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
sl@0	2176	0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
sl@0	2177	0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
sl@0	2178	0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
sl@0	2179	0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
sl@0	2180	0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
sl@0	2181	0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
sl@0	2182	0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
sl@0	2183	0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
sl@0	2184	0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
sl@0	2185	};
sl@0	2186	static unsigned char dh1024_g[]={
sl@0	2187	0x02,
sl@0	2188	};
sl@0	2189	DH *dh;
sl@0	2190
sl@0	2191	if ((dh=DH_new()) == NULL) return(NULL);
sl@0	2192	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
sl@0	2193	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
sl@0	2194	if ((dh->p == NULL) \|\| (dh->g == NULL))
sl@0	2195	{ DH_free(dh); return(NULL); }
sl@0	2196	return(dh);
sl@0	2197	}
sl@0	2198
sl@0	2199	static DH *get_dh1024dsa()
sl@0	2200	{
sl@0	2201	static unsigned char dh1024_p[]={
sl@0	2202	0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
sl@0	2203	0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
sl@0	2204	0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
sl@0	2205	0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
sl@0	2206	0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
sl@0	2207	0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
sl@0	2208	0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
sl@0	2209	0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
sl@0	2210	0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
sl@0	2211	0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
sl@0	2212	0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
sl@0	2213	};
sl@0	2214	static unsigned char dh1024_g[]={
sl@0	2215	0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
sl@0	2216	0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
sl@0	2217	0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
sl@0	2218	0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
sl@0	2219	0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
sl@0	2220	0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
sl@0	2221	0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
sl@0	2222	0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
sl@0	2223	0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
sl@0	2224	0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
sl@0	2225	0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
sl@0	2226	};
sl@0	2227	DH *dh;
sl@0	2228
sl@0	2229	if ((dh=DH_new()) == NULL) return(NULL);
sl@0	2230	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
sl@0	2231	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
sl@0	2232	if ((dh->p == NULL) \|\| (dh->g == NULL))
sl@0	2233	{ DH_free(dh); return(NULL); }
sl@0	2234	dh->length = 160;
sl@0	2235	return(dh);
sl@0	2236	}
sl@0	2237	#endif
sl@0	2238
sl@0	2239	static int do_test_cipherlist(void)
sl@0	2240	{
sl@0	2241	int i = 0;
sl@0	2242	const SSL_METHOD *meth;
sl@0	2243	SSL_CIPHER ci, tci = NULL;
sl@0	2244
sl@0	2245	#ifndef OPENSSL_NO_SSL2
sl@0	2246	fprintf(stderr, "testing SSLv2 cipher list order: ");
sl@0	2247	meth = SSLv2_method();
sl@0	2248	while ((ci = meth->get_cipher(i++)) != NULL)
sl@0	2249	{
sl@0	2250	if (tci != NULL)
sl@0	2251	if (ci->id >= tci->id)
sl@0	2252	{
sl@0	2253	fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
sl@0	2254	return 0;
sl@0	2255	}
sl@0	2256	tci = ci;
sl@0	2257	}
sl@0	2258	fprintf(stderr, "ok\n");
sl@0	2259	#endif
sl@0	2260	#ifndef OPENSSL_NO_SSL3
sl@0	2261	fprintf(stderr, "testing SSLv3 cipher list order: ");
sl@0	2262	meth = SSLv3_method();
sl@0	2263	tci = NULL;
sl@0	2264	while ((ci = meth->get_cipher(i++)) != NULL)
sl@0	2265	{
sl@0	2266	if (tci != NULL)
sl@0	2267	if (ci->id >= tci->id)
sl@0	2268	{
sl@0	2269	fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
sl@0	2270	return 0;
sl@0	2271	}
sl@0	2272	tci = ci;
sl@0	2273	}
sl@0	2274	fprintf(stderr, "ok\n");
sl@0	2275	#endif
sl@0	2276	#ifndef OPENSSL_NO_TLS1
sl@0	2277	fprintf(stderr, "testing TLSv1 cipher list order: ");
sl@0	2278	meth = TLSv1_method();
sl@0	2279	tci = NULL;
sl@0	2280	while ((ci = meth->get_cipher(i++)) != NULL)
sl@0	2281	{
sl@0	2282	if (tci != NULL)
sl@0	2283	if (ci->id >= tci->id)
sl@0	2284	{
sl@0	2285	fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
sl@0	2286	return 0;
sl@0	2287	}
sl@0	2288	tci = ci;
sl@0	2289	}
sl@0	2290	fprintf(stderr, "ok\n");
sl@0	2291	#endif
sl@0	2292
sl@0	2293	return 1;
sl@0	2294	}

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--