2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 © Portions copyright (c) 2006, 2010 Nokia Corporation. All rights reserved.
120 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
121 on Linux and GNU platforms. */
131 #include <sys/stat.h>
139 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
140 VMS (at least with DECompHP C). */
143 #include <openssl/bio.h>
144 #include <openssl/crypto.h>
145 #include <openssl/evp.h>
146 #include <openssl/x509.h>
147 #include <openssl/x509v3.h>
148 #include <openssl/ssl.h>
149 #ifndef OPENSSL_NO_ENGINE
150 #include <openssl/engine.h>
152 #include <openssl/err.h>
153 #include <openssl/rand.h>
154 #ifndef OPENSSL_NO_RSA
155 #include <openssl/rsa.h>
157 #ifndef OPENSSL_NO_DSA
158 #include <openssl/dsa.h>
160 #ifndef OPENSSL_NO_DH
161 #include <openssl/dh.h>
163 #include <openssl/bn.h>
165 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
166 on Compaq platforms (at least with DEC C).
167 Do not try to put it earlier, or IPv6 includes
171 #ifdef OPENSSL_SYS_WINDOWS
174 #include OPENSSL_UNISTD
177 #ifdef OPENSSL_SYS_VMS
178 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
179 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
180 #elif defined(OPENSSL_SYS_WINCE)
181 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
182 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
183 #elif defined(OPENSSL_SYS_NETWARE)
184 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
185 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
186 #elif defined(SYMBIAN)
187 # define TEST_SERVER_CERT "c:\\server.pem"
188 # define TEST_CLIENT_CERT "c:\\client.pem"
190 # define TEST_SERVER_CERT "../apps/server.pem"
191 # define TEST_CLIENT_CERT "../apps/client.pem"
194 /* There is really no standard for this, so let's assign some tentative
195 numbers. In any case, these numbers are only for this test */
199 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
200 #ifndef OPENSSL_NO_RSA
201 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
202 static void free_tmp_rsa(void);
204 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
205 #define APP_CALLBACK_STRING "Test Callback Argument"
206 struct app_verify_arg
210 int allow_proxy_certs;
215 #ifndef OPENSSL_NO_DH
216 static DH *get_dh512(void);
217 static DH *get_dh1024(void);
218 static DH *get_dh1024dsa(void);
221 static BIO *bio_err=NULL;
222 static BIO *bio_stdout=NULL;
224 static char *cipher=NULL;
225 static int verbose=0;
240 #define LOG_STDOUT "c:\\file_stdout"
241 #define LOG_STDIN "c:\\file_stdin"
242 #define LOG_STDERR "c:\\file_stderr"
246 // This function is used to generate the xml file used bt ATS
247 void testResultXml(char *filename,int retval)
253 char xmlfilename[256];
255 time_t t = time(NULL);
257 struct tm *tm1 = localtime(&t);
259 char *atsinitmsg = "<test-report>\n\t<test-batch>";
261 char *atsbatchinit1 = \
263 \n\t\t\t<description></description>\
266 char *atsbatchinit2 = "</date>\
267 \n\t\t\t<factory>NA</factory>\
269 \n\t\t\t\t<name>NA</name>\
270 \n\t\t\t\t<version>NA</version>\
271 \n\t\t\t</component>\
272 \n\t\t</batch-init>";
274 char *atsbatchresult= \
275 "\n\t\t<batch-result>\
276 \n\t\t\t<run-time>00:00:00</run-time>\
277 \n\t\t</batch-result>";
279 char *atsclosemsg = \
281 \n</test-report>\n ";
283 char *atstestinit = "\n\t\t<test-case time-stamp=\"00:00:00\">";
286 char *atscaseinit1 = \
287 "\n\t\t\t<case-init>\
288 \n\t\t\t\t<version></version>\
291 char *atscaseinit2 = "</id>\
292 \n\t\t\t\t<expected-result description=\"\">0</expected-result>\
293 \n\t\t\t</case-init>";
295 char *atscaseresult1= \
296 "\n\t\t\t<case-result status=\"";
298 char *atscaseresult2= "\">\
299 \n\t\t\t\t<actual-result>0</actual-result>\
300 \n\t\t\t\t<run-time>00:00:00</run-time>\
301 \n\t\t\t</case-result>";
303 char *atstestclose = "\n\t\t</test-case>";
308 dir = opendir("c:\\spd_logs");
310 mkdir("c:\\spd_logs",0777);
312 dir = opendir("c:\\spd_logs\\xml");
314 mkdir("c:\\spd_logs\\xml",0777);
316 // create the xml file name
317 strcpy(xmlfilename,"c:/spd_logs/xml/");
318 strcat(xmlfilename,filename);
319 strcat(xmlfilename,".xml");
321 strftime(time_buf,50,"%c",tm1);
324 strcpy(result,"FAILED");
326 strcpy(result,"PASSED");
328 fp = fopen(xmlfilename,"w");
332 fprintf(fp,"%s%s%s%s%s%s%s%s%s%s%s%s%s%s",atsinitmsg,atsbatchinit1,time_buf,atsbatchinit2,atstestinit,
333 atscaseinit1,filename,atscaseinit2,atscaseresult1,result,atscaseresult2,
334 atstestclose,atsbatchresult,atsclosemsg);
341 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
343 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
344 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
345 static int do_test_cipherlist(void);
346 static void sv_usage(void)
348 fprintf(stderr,"usage: ssltest [args ...]\n");
349 fprintf(stderr,"\n");
350 fprintf(stderr," -server_auth - check server certificate\n");
351 fprintf(stderr," -client_auth - do client authentication\n");
352 fprintf(stderr," -symstore <symfile> - symbian store certificates\n");
353 fprintf(stderr," -proxy - allow proxy certificates\n");
354 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
355 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
356 fprintf(stderr," -v - more output\n");
357 fprintf(stderr," -d - debug output\n");
358 fprintf(stderr," -reuse - use session-id reuse\n");
359 fprintf(stderr," -num <val> - number of connections to perform\n");
360 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
361 #ifndef OPENSSL_NO_DH
362 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
363 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
364 fprintf(stderr," -no_dhe - disable DHE\n");
366 #ifndef OPENSSL_NO_ECDH
367 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
369 #ifndef OPENSSL_NO_SSL2
370 fprintf(stderr," -ssl2 - use SSLv2\n");
372 #ifndef OPENSSL_NO_SSL3
373 fprintf(stderr," -ssl3 - use SSLv3\n");
375 #ifndef OPENSSL_NO_TLS1
376 fprintf(stderr," -tls1 - use TLSv1\n");
378 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
379 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
380 fprintf(stderr," -cert arg - Server certificate file\n");
381 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
382 fprintf(stderr," -c_cert arg - Client certificate file\n");
383 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
384 fprintf(stderr," -cipher arg - The cipher list\n");
385 fprintf(stderr," -bio_pair - Use BIO pairs\n");
386 fprintf(stderr," -f - Test even cases that can't work\n");
387 fprintf(stderr," -time - measure processor time used by client and server\n");
388 fprintf(stderr," -zlib - use zlib compression\n");
389 fprintf(stderr," -rle - use rle compression\n");
390 #ifndef OPENSSL_NO_ECDH
391 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
392 " Use \"openssl ecparam -list_curves\" for all names\n" \
393 " (default is sect163r2).\n");
395 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
399 static void print_details(SSL *c_ssl, const char *prefix)
404 ciph=SSL_get_current_cipher(c_ssl);
405 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
407 SSL_get_version(c_ssl),
408 SSL_CIPHER_get_version(ciph),
409 SSL_CIPHER_get_name(ciph));
410 cert=SSL_get_peer_certificate(c_ssl);
413 EVP_PKEY *pkey = X509_get_pubkey(cert);
418 #ifndef OPENSSL_NO_RSA
419 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
420 && pkey->pkey.rsa->n != NULL)
422 BIO_printf(bio_stdout, ", %d bit RSA",
423 BN_num_bits(pkey->pkey.rsa->n));
426 #ifndef OPENSSL_NO_DSA
427 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
428 && pkey->pkey.dsa->p != NULL)
430 BIO_printf(bio_stdout, ", %d bit DSA",
431 BN_num_bits(pkey->pkey.dsa->p));
438 /* The SSL API does not allow us to look at temporary RSA/DH keys,
439 * otherwise we should print their lengths too */
440 BIO_printf(bio_stdout,"\n");
443 static void lock_dbg_cb(int mode, int type, const char *file, int line)
445 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
446 const char *errstr = NULL;
449 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
450 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
452 errstr = "invalid mode";
456 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
458 errstr = "type out of bounds";
462 if (mode & CRYPTO_LOCK)
466 errstr = "already locked";
467 /* must not happen in a single-threaded program
468 * (would deadlock) */
474 else if (mode & CRYPTO_UNLOCK)
478 errstr = "not locked";
482 if (modes[type] != rw)
484 errstr = (rw == CRYPTO_READ) ?
485 "CRYPTO_r_unlock on write lock" :
486 "CRYPTO_w_unlock on read lock";
493 errstr = "invalid mode";
500 /* we cannot use bio_err here */
501 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
502 errstr, mode, type, file, line);
507 //-----------------------------------------------------------------------------
508 //function function for destroying argv
509 //-----------------------------------------------------------------------------
510 void DeleteArgs(char ** cmd_line,int argc)
513 for(i=0;i<argc;i++) free(cmd_line[i]);
520 char** create_params(char *ip_str,int *argc)
523 char **cmd_line=NULL;
524 char *str=NULL,*ptr=NULL;
527 //int* p = (int*) User::Alloc(10);
537 paramets[cnt]=(char *)malloc(sizeof(char)*len+1);
540 strncpy(paramets[cnt],str,len);
541 paramets[cnt][len]='\0';
550 paramets[cnt]=(char *)malloc(sizeof(char)*len+1);
552 strcpy(paramets[cnt],str);
560 cmd_line=(char **)malloc(cnt*sizeof(char *));
562 cmd_line[i]=paramets[i];
570 int testssl_init(void)
572 //fp_stdout = fopen(LOG_STDOUT,"w+");
573 fp_stdout = freopen(LOG_STDOUT,"a",stdout);
576 //fp_stderr = fopen(LOG_STDERR,"w+");
577 fp_stderr = freopen(LOG_STDERR,"a",stderr);
580 fp_stdin = freopen(LOG_STDIN,"a",stdin);
581 //fp_stdin = fopen(LOG_STDIN,"a");
587 void testssl_deinit(void)
594 int main(int argc, char *argv[])
606 fprintf(stdout,"\n");
609 fprintf(stdout,"%s ",argv[i]);
610 fprintf(stderr,"%s ",argv[i]);
612 fprintf(stdout,"\n");
613 fprintf(stderr,"\n");
615 strcpy(ssltestnum,argv[1]);
620 ret = ssl_main(argc,argv);
622 //Call routine to write XML file here depending on ret value.
623 testResultXml(ssltestnum, ret);
628 #endif /* IF_DEF SYMBIAN */
632 int main(int argc, char *argv[])
634 int ssl_main(int argc, char *argv[])
635 //int main(int argc, char *argv[])
638 char *CApath=NULL,*CAfile=NULL;
642 int tls1=0,ssl2=0,ssl3=0,ret=1;
646 struct app_verify_arg app_verify_arg =
647 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
648 char *server_cert=TEST_SERVER_CERT;
649 char *server_key=NULL;
650 char *client_cert=TEST_CLIENT_CERT;
651 char *client_key=NULL;
652 char *symfile = NULL;
655 X509_INFO *x509_info = NULL;
656 STACK_OF(X509_INFO) *x509_inf_st =NULL;
657 X509_STORE_CTX st_ctx;
658 STACK_OF(X509)* x509_sk = sk_X509_new_null();
659 #ifndef OPENSSL_NO_ECDH
660 char *named_curve = NULL;
664 SSL_METHOD *meth=NULL;
666 int number=1,reuse=0;
668 #ifndef OPENSSL_NO_DH
670 int dhe1024 = 0, dhe1024dsa = 0;
672 #ifndef OPENSSL_NO_ECDH
678 clock_t s_time = 0, c_time = 0;
680 #ifndef OPENSSL_NO_COMP
681 COMP_METHOD *cm = NULL;
683 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
684 int test_cipherlist = 0;
685 char KDefinion[]="After";
697 SSL_load_error_strings();
699 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
701 CRYPTO_set_locking_callback(lock_dbg_cb);
703 /* enable memory leak checking unless explicitly disabled */
704 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
706 CRYPTO_malloc_debug_init();
707 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
711 /* OPENSSL_DEBUG_MEMORY=off */
712 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
714 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
716 RAND_seed(rnd_seed, sizeof rnd_seed);
718 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
728 if (strcmp(*argv,"-server_auth") == 0)
730 else if (strcmp(*argv,"-client_auth") == 0)
732 else if (strcmp(*argv,"-proxy_auth") == 0)
734 if (--argc < 1) goto bad;
735 app_verify_arg.proxy_auth= *(++argv);
737 else if (strcmp(*argv,"-proxy_cond") == 0)
739 if (--argc < 1) goto bad;
740 app_verify_arg.proxy_cond= *(++argv);
742 else if (strcmp(*argv,"-v") == 0)
744 else if (strcmp(*argv,"-d") == 0)
746 else if (strcmp(*argv,"-reuse") == 0)
748 else if (strcmp(*argv,"-dhe1024") == 0)
750 #ifndef OPENSSL_NO_DH
753 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
756 else if (strcmp(*argv,"-dhe1024dsa") == 0)
758 #ifndef OPENSSL_NO_DH
761 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
764 else if (strcmp(*argv,"-no_dhe") == 0)
766 else if (strcmp(*argv,"-no_ecdhe") == 0)
768 else if (strcmp(*argv,"-ssl2") == 0)
770 else if (strcmp(*argv,"-tls1") == 0)
772 else if (strcmp(*argv,"-ssl3") == 0)
774 else if (strncmp(*argv,"-num",4) == 0)
776 if (--argc < 1) goto bad;
777 number= atoi(*(++argv));
778 if (number == 0) number=1;
780 else if (strcmp(*argv,"-bytes") == 0)
782 if (--argc < 1) goto bad;
783 bytes= atol(*(++argv));
784 if (bytes == 0L) bytes=1L;
786 if (argv[0][i-1] == 'k') bytes*=1024L;
787 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
789 else if (strcmp(*argv,"-cert") == 0)
791 if (--argc < 1) goto bad;
792 server_cert= *(++argv);
794 else if (strcmp(*argv,"-s_cert") == 0)
796 if (--argc < 1) goto bad;
797 server_cert= *(++argv);
799 else if (strcmp(*argv,"-key") == 0)
801 if (--argc < 1) goto bad;
802 server_key= *(++argv);
804 else if (strcmp(*argv,"-s_key") == 0)
806 if (--argc < 1) goto bad;
807 server_key= *(++argv);
809 else if (strcmp(*argv,"-c_cert") == 0)
811 if (--argc < 1) goto bad;
812 client_cert= *(++argv);
814 else if (strcmp(*argv,"-c_key") == 0)
816 if (--argc < 1) goto bad;
817 client_key= *(++argv);
819 else if (strcmp(*argv,"-cipher") == 0)
821 if (--argc < 1) goto bad;
824 else if (strcmp(*argv,"-CApath") == 0)
826 if (--argc < 1) goto bad;
829 else if (strcmp(*argv,"-CAfile") == 0)
831 if (--argc < 1) goto bad;
834 else if (strcmp(*argv,"-bio_pair") == 0)
838 else if (strcmp(*argv,"-f") == 0)
842 else if (strcmp(*argv,"-time") == 0)
846 else if (strcmp(*argv,"-zlib") == 0)
850 else if (strcmp(*argv,"-rle") == 0)
854 else if (strcmp(*argv,"-named_curve") == 0)
856 if (--argc < 1) goto bad;
857 #ifndef OPENSSL_NO_ECDH
858 named_curve = *(++argv);
860 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
864 else if (strcmp(*argv,"-app_verify") == 0)
866 app_verify_arg.app_verify = 1;
868 else if (strcmp(*argv,"-proxy") == 0)
870 app_verify_arg.allow_proxy_certs = 1;
872 else if (strcmp(*argv,"-test_cipherlist") == 0)
876 else if (strcmp(*argv,"-symstore") == 0)
884 fprintf(stderr,"unknown option %s\n",*argv);
898 if (test_cipherlist == 1)
900 /* ensure that the cipher list are correctly sorted and exit */
901 if (do_test_cipherlist() == 0)
903 fprintf(stderr, "FAILED:do_test_cipherlist\n");
911 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
913 fprintf(stderr, "This case cannot work. Use -f to perform "
914 "the test anyway (and\n-d to see what happens), "
915 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
916 "to avoid protocol mismatch.\n");
926 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
929 if (number < 50 && !force)
930 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
933 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
936 SSL_load_error_strings();
938 #ifndef OPENSSL_NO_COMP
939 if (comp == COMP_ZLIB) cm = COMP_zlib();
940 if (comp == COMP_RLE) cm = COMP_rle();
943 if (cm->type != NID_undef)
945 if (SSL_COMP_add_compression_method(comp, cm) != 0)
948 "Failed to add compression method\n");
949 ERR_print_errors_fp(stderr);
955 "Warning: %s compression not supported\n",
956 (comp == COMP_RLE ? "rle" :
957 (comp == COMP_ZLIB ? "zlib" :
959 ERR_print_errors_fp(stderr);
962 ssl_comp_methods = SSL_COMP_get_compression_methods();
963 fprintf(stderr, "Available compression methods:\n");
965 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
967 fprintf(stderr, " NONE\n");
969 for (j = 0; j < n; j++)
971 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
972 fprintf(stderr, " %d: %s\n", c->id, c->name);
977 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
987 meth=SSLv23_method();
989 #ifdef OPENSSL_NO_SSL2
996 c_ctx=SSL_CTX_new(meth);
997 s_ctx=SSL_CTX_new(meth);
998 if ((c_ctx == NULL) || (s_ctx == NULL))
1000 ERR_print_errors(bio_err);
1006 SSL_CTX_set_cipher_list(c_ctx,cipher);
1007 SSL_CTX_set_cipher_list(s_ctx,cipher);
1010 #ifndef OPENSSL_NO_DH
1015 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
1016 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
1023 SSL_CTX_set_tmp_dh(s_ctx,dh);
1030 #ifndef OPENSSL_NO_ECDH
1035 if (named_curve != NULL)
1037 nid = OBJ_sn2nid(named_curve);
1040 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
1045 nid = NID_sect163r2;
1047 ecdh = EC_KEY_new_by_curve_name(nid);
1050 BIO_printf(bio_err, "unable to create curve\n");
1054 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
1055 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
1062 #ifndef OPENSSL_NO_RSA
1063 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
1066 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
1068 ERR_print_errors(bio_err);
1070 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
1071 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
1073 ERR_print_errors(bio_err);
1079 SSL_CTX_use_certificate_file(c_ctx,client_cert,
1081 SSL_CTX_use_PrivateKey_file(c_ctx,
1082 (client_key?client_key:client_cert),
1086 #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__)))
1087 sleep(30); //we sleep till the required servers are up
1090 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
1091 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
1092 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
1093 (!SSL_CTX_set_default_verify_paths(c_ctx)))
1095 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1096 ERR_print_errors(bio_err);
1101 BIO_printf(bio_stdout,"certificates from symbian store\n");
1102 if (!SSL_CTX_set_default_verify_paths(c_ctx))
1104 BIO_printf(bio_err,"Failed to retrieve certificates from symbian store\n");
1110 BIO_printf(bio_stdout,"symbian certificates loaded\n");
1113 BIO_printf(bio_stdout,"symfile is not NULL\n");
1114 io = BIO_new_file(symfile, "r");
1120 x509_inf_st = PEM_X509_INFO_read_bio(io, NULL, NULL, NULL);
1128 x509_info = sk_X509_INFO_value(x509_inf_st, 0);
1131 BIO_printf(bio_stdout,"x509 structure is not null\n");
1132 sk_X509_push(x509_sk,x509_info->x509);
1133 X509_STORE_CTX_init(&st_ctx, c_ctx->cert_store, x509_info->x509, x509_sk);
1134 BIO_printf(bio_stdout,"calling x509_verify_cert\n");
1135 ret_match = X509_verify_cert(&st_ctx);
1138 BIO_printf(bio_stdout,"Certificates match\n");
1143 BIO_printf(bio_err,"Certificates don match\n");
1157 BIO_printf(bio_err,"client authentication\n");
1158 SSL_CTX_set_verify(s_ctx,
1159 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1161 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1165 BIO_printf(bio_err,"server authentication\n");
1166 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1168 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1172 int session_id_context = 0;
1173 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1176 c_ssl=SSL_new(c_ctx);
1177 s_ssl=SSL_new(s_ctx);
1179 #ifndef OPENSSL_NO_KRB5
1180 if (c_ssl && c_ssl->kssl_ctx)
1182 char localhost[MAXHOSTNAMELEN+2];
1184 if (gethostname(localhost, sizeof localhost-1) == 0)
1186 localhost[sizeof localhost-1]='\0';
1187 if(strlen(localhost) == sizeof localhost-1)
1189 BIO_printf(bio_err,"localhost name too long\n");
1192 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1196 #endif /* OPENSSL_NO_KRB5 */
1198 for (i=0; i<number; i++)
1200 if (!reuse) SSL_set_session(c_ssl,NULL);
1203 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1210 ret=doit(s_ssl,c_ssl,bytes);
1218 print_details(c_ssl, "");
1220 if ((number > 1) || (bytes > 1L))
1221 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1224 #ifdef CLOCKS_PER_SEC
1225 /* "To determine the time in seconds, the value returned
1226 * by the clock function should be divided by the value
1227 * of the macro CLOCKS_PER_SEC."
1228 * -- ISO/IEC 9899 */
1229 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1230 "Approximate total client time: %6.2f s\n",
1231 (double)s_time/CLOCKS_PER_SEC,
1232 (double)c_time/CLOCKS_PER_SEC);
1234 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1235 * -- cc on NeXTstep/OpenStep */
1236 BIO_printf(bio_stdout,
1237 "Approximate total server time: %6.2f units\n"
1238 "Approximate total client time: %6.2f units\n",
1248 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1249 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1251 if (bio_stdout != NULL) BIO_free(bio_stdout);
1253 #ifndef OPENSSL_NO_RSA
1256 #ifndef OPENSSL_NO_ENGINE
1259 CRYPTO_cleanup_all_ex_data();
1261 ERR_remove_state(0);
1263 //CRYPTO_mem_leaks(bio_err);
1264 if (bio_err != NULL) BIO_free(bio_err);
1273 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1274 clock_t *s_time, clock_t *c_time)
1276 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1277 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1278 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1281 size_t bufsiz = 256; /* small buffer for testing */
1283 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1285 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1288 s_ssl_bio = BIO_new(BIO_f_ssl());
1292 c_ssl_bio = BIO_new(BIO_f_ssl());
1296 SSL_set_connect_state(c_ssl);
1297 SSL_set_bio(c_ssl, client, client);
1298 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1300 SSL_set_accept_state(s_ssl);
1301 SSL_set_bio(s_ssl, server, server);
1302 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1306 /* c_ssl_bio: SSL filter BIO
1308 * client: pseudo-I/O for SSL library
1310 * client_io: client's SSL communication; usually to be
1311 * relayed over some I/O facility, but in this
1312 * test program, we're the server, too:
1314 * server_io: server's SSL communication
1316 * server: pseudo-I/O for SSL library
1318 * s_ssl_bio: SSL filter BIO
1320 * The client and the server each employ a "BIO pair":
1321 * client + client_io, server + server_io.
1322 * BIO pairs are symmetric. A BIO pair behaves similar
1323 * to a non-blocking socketpair (but both endpoints must
1324 * be handled by the same thread).
1325 * [Here we could connect client and server to the ends
1326 * of a single BIO pair, but then this code would be less
1327 * suitable as an example for BIO pairs in general.]
1329 * Useful functions for querying the state of BIO pair endpoints:
1331 * BIO_ctrl_pending(bio) number of bytes we can read now
1332 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1333 * other side's read attempt
1334 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1336 * ..._read_request is never more than ..._write_guarantee;
1337 * it depends on the application which one you should use.
1340 /* We have non-blocking behaviour throughout this test program, but
1341 * can be sure that there is *some* progress in each iteration; so
1342 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1343 * -- we just try everything in each iteration
1349 //MS_STATIC char cbuf[1024*8];
1350 MS_STATIC char cbuf[1024*2];
1352 clock_t c_clock = clock();
1354 memset(cbuf, 0, sizeof(cbuf));
1357 if (SSL_in_init(c_ssl))
1358 fprintf(stdout,"client waiting in SSL_connect - %s\n",
1359 SSL_state_string_long(c_ssl));
1363 /* Write to server. */
1365 if (cw_num > (long)sizeof cbuf)
1369 r = BIO_write(c_ssl_bio, cbuf, i);
1372 if (!BIO_should_retry(c_ssl_bio))
1374 fprintf(stderr,"ERROR in CLIENT\n");
1377 /* BIO_should_retry(...) can just be ignored here.
1378 * The library expects us to call BIO_write with
1379 * the same arguments again, and that's what we will
1380 * do in the next iteration. */
1384 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1390 fprintf(stdout,"client wrote %d\n", r);
1397 /* Read from server. */
1399 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1402 if (!BIO_should_retry(c_ssl_bio))
1404 fprintf(stderr,"ERROR in CLIENT\n");
1407 /* Again, "BIO_should_retry" can be ignored. */
1411 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1417 fprintf(stdout,"client read %d\n", r);
1422 /* c_time and s_time increments will typically be very small
1423 * (depending on machine speed and clock tick intervals),
1424 * but sampling over a large number of connections should
1425 * result in fairly accurate figures. We cannot guarantee
1426 * a lot, however -- if each connection lasts for exactly
1427 * one clock tick, it will be counted only for the client
1428 * or only for the server or even not at all.
1430 *c_time += (clock() - c_clock);
1436 //MS_STATIC char sbuf[1024*8];
1437 MS_STATIC char sbuf[1024*2];
1439 clock_t s_clock = clock();
1441 memset(sbuf, 0, sizeof(sbuf));
1444 if (SSL_in_init(s_ssl))
1445 fprintf(stdout,"server waiting in SSL_accept - %s\n",
1446 SSL_state_string_long(s_ssl));
1450 /* Write to client. */
1452 if (sw_num > (long)sizeof sbuf)
1456 r = BIO_write(s_ssl_bio, sbuf, i);
1459 if (!BIO_should_retry(s_ssl_bio))
1461 fprintf(stderr,"ERROR in SERVER\n");
1464 /* Ignore "BIO_should_retry". */
1468 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1474 fprintf(stdout,"server wrote %d\n", r);
1481 /* Read from client. */
1483 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1486 if (!BIO_should_retry(s_ssl_bio))
1488 fprintf(stderr,"ERROR in SERVER\n");
1495 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1501 fprintf(stdout,"server read %d\n", r);
1506 *s_time += (clock() - s_clock);
1510 /* "I/O" BETWEEN CLIENT AND SERVER. */
1513 BIO *io1 = server_io, *io2 = client_io;
1514 /* we use the non-copying interface for io1
1515 * and the standard BIO_write/BIO_read interface for io2
1518 static int prev_progress = 1;
1527 r1 = BIO_ctrl_pending(io1);
1528 r2 = BIO_ctrl_get_write_guarantee(io2);
1537 if (INT_MAX < num) /* yeah, right */
1540 r = BIO_nread(io1, &dataptr, (int)num);
1542 assert(r <= (int)num);
1543 /* possibly r < num (non-contiguous data) */
1545 r = BIO_write(io2, dataptr, (int)num);
1546 if (r != (int)num) /* can't happen */
1548 fprintf(stderr, "ERROR: BIO_write could not write "
1549 "BIO_ctrl_get_write_guarantee() bytes");
1555 fprintf(stdout,(io1 == client_io) ?
1556 "C->S relaying: %d bytes\n" :
1557 "S->C relaying: %d bytes\n",
1568 r1 = BIO_ctrl_pending(io2);
1569 r2 = BIO_ctrl_get_read_request(io1);
1570 /* here we could use ..._get_write_guarantee instead of
1571 * ..._get_read_request, but by using the latter
1572 * we test restartability of the SSL implementation
1573 * more thoroughly */
1585 --num; /* test restartability even more thoroughly */
1587 r = BIO_nwrite0(io1, &dataptr);
1591 r = BIO_read(io2, dataptr, (int)num);
1592 if (r != (int)num) /* can't happen */
1594 fprintf(stderr, "ERROR: BIO_read could not read "
1595 "BIO_ctrl_pending() bytes");
1599 r = BIO_nwrite(io1, &dataptr, (int)num);
1600 if (r != (int)num) /* can't happen */
1602 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1603 "BIO_nwrite0() bytes");
1608 fprintf(stdout,(io2 == client_io) ?
1609 "C->S relaying: %d bytes\n" :
1610 "S->C relaying: %d bytes\n",
1613 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1615 if (!progress && !prev_progress)
1616 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1618 fprintf(stderr, "ERROR: got stuck\n");
1619 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1621 fprintf(stderr, "This can happen for SSL2 because "
1622 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1623 "concurrently ...");
1624 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1625 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1627 fprintf(stderr, " ok.\n");
1631 fprintf(stderr, " ERROR.\n");
1634 prev_progress = progress;
1637 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1640 print_details(c_ssl, "DONE via BIO pair: ");
1645 ERR_print_errors(bio_err);
1650 BIO_free(server_io);
1654 BIO_free(client_io);
1656 BIO_free(s_ssl_bio);
1658 BIO_free(c_ssl_bio);
1669 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1671 //MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1672 MS_STATIC char cbuf[2*1024],sbuf[2*1024];
1678 int c_r,c_w,s_r,s_w;
1682 int c_write,s_write;
1683 int do_server=0,do_client=0;
1684 unsigned int cw_num,cr_num;
1685 unsigned int sw_num,sr_num;
1692 memset(cbuf,0,sizeof(cbuf));
1693 memset(sbuf,0,sizeof(sbuf));
1695 c_to_s=BIO_new(BIO_s_mem());
1696 s_to_c=BIO_new(BIO_s_mem());
1697 if ((s_to_c == NULL) || (c_to_s == NULL))
1699 ERR_print_errors(bio_err);
1703 c_bio=BIO_new(BIO_f_ssl());
1704 s_bio=BIO_new(BIO_f_ssl());
1707 if ((c_bio == NULL) || (s_bio == NULL))
1709 ERR_print_errors(bio_err);
1713 SSL_set_connect_state(c_ssl);
1714 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1715 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1716 SSL_set_accept_state(s_ssl);
1717 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1718 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1724 c_write=1,s_write=0;
1726 /* We can always do writes */
1732 i=(int)BIO_pending(s_bio);
1734 if ((i && s_r) || s_w) do_server=1;
1736 i=(int)BIO_pending(c_bio);
1738 if ((i && c_r) || c_w) do_client=1;
1740 if (do_server && debug)
1742 if (SSL_in_init(s_ssl))
1743 fprintf(stdout,"server waiting in SSL_accept - %s\n",
1744 SSL_state_string_long(s_ssl));
1745 /* else if (s_write)
1746 printf("server:SSL_write()\n");
1748 printf("server:SSL_read()\n"); */
1751 if (do_client && debug)
1753 if (SSL_in_init(c_ssl))
1754 fprintf(stdout,"client waiting in SSL_connect - %s\n",
1755 SSL_state_string_long(c_ssl));
1756 /* else if (c_write)
1757 printf("client:SSL_write()\n");
1759 printf("client:SSL_read()\n"); */
1762 if (!do_client && !do_server)
1764 fprintf(stdout,"ERROR IN STARTUP\n");
1765 ERR_print_errors(bio_err);
1768 if (do_client && !(done & C_DONE))
1772 j = (cw_num > (long)sizeof(cbuf)) ?
1773 (int)sizeof(cbuf) : (int)cw_num;
1775 i=BIO_write(c_bio,cbuf,j);
1781 if (BIO_should_retry(c_bio))
1784 if (BIO_should_read(c_bio))
1790 if (BIO_should_write(c_bio))
1799 fprintf(stderr,"ERROR in CLIENT\n");
1800 ERR_print_errors(bio_err);
1806 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1812 fprintf(stdout,"client wrote %d\n",i);
1821 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1826 if (BIO_should_retry(c_bio))
1828 if (BIO_should_read(c_bio))
1830 if (BIO_should_write(c_bio))
1835 fprintf(stderr,"ERROR in CLIENT\n");
1836 ERR_print_errors(bio_err);
1842 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1848 fprintf(stdout,"client read %d\n",i);
1865 if (do_server && !(done & S_DONE))
1869 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1874 if (BIO_should_retry(s_bio))
1876 if (BIO_should_read(s_bio))
1878 if (BIO_should_write(s_bio))
1883 fprintf(stderr,"ERROR in SERVER\n");
1884 ERR_print_errors(bio_err);
1890 ERR_print_errors(bio_err);
1891 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1897 fprintf(stdout,"server read %d\n",i);
1914 j = (sw_num > (long)sizeof(sbuf)) ?
1915 (int)sizeof(sbuf) : (int)sw_num;
1916 i=BIO_write(s_bio,sbuf,j);
1921 if (BIO_should_retry(s_bio))
1923 if (BIO_should_read(s_bio))
1925 if (BIO_should_write(s_bio))
1930 fprintf(stderr,"ERROR in SERVER\n");
1931 ERR_print_errors(bio_err);
1937 ERR_print_errors(bio_err);
1938 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1944 fprintf(stdout,"server wrote %d\n",i);
1954 if ((done & S_DONE) && (done & C_DONE)) break;
1958 print_details(c_ssl, "DONE: ");
1961 /* We have to set the BIO's to NULL otherwise they will be
1962 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1963 * again when c_ssl is SSL_free()ed.
1964 * This is a hack required because s_ssl and c_ssl are sharing the same
1965 * BIO structure and SSL_set_bio() and SSL_free() automatically
1966 * BIO_free non NULL entries.
1967 * You should not normally do this or be required to do this */
1979 if (c_to_s != NULL) BIO_free(c_to_s);
1980 if (s_to_c != NULL) BIO_free(s_to_c);
1981 if (c_bio != NULL) BIO_free_all(c_bio);
1982 if (s_bio != NULL) BIO_free_all(s_bio);
1986 static int get_proxy_auth_ex_data_idx(void)
1988 static volatile int idx = -1;
1991 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1994 idx = X509_STORE_CTX_get_ex_new_index(0,
1995 "SSLtest for verify callback", NULL,NULL,NULL);
1997 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
2002 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
2006 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
2011 fprintf(stderr,"depth=%d %s\n",
2012 ctx->error_depth,buf);
2015 fprintf(stderr,"depth=%d error=%d %s\n",
2016 ctx->error_depth,ctx->error,buf);
2022 fprintf(stderr,"Error string: %s\n",
2023 X509_verify_cert_error_string(ctx->error));
2026 case X509_V_ERR_CERT_NOT_YET_VALID:
2027 case X509_V_ERR_CERT_HAS_EXPIRED:
2028 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2029 fprintf(stderr," ... ignored.\n");
2036 X509 *xs = ctx->current_cert;
2038 X509 *xi = ctx->current_issuer;
2041 if (xs->ex_flags & EXFLAG_PROXY)
2043 unsigned int *letters =
2044 X509_STORE_CTX_get_ex_data(ctx,
2045 get_proxy_auth_ex_data_idx());
2051 PROXY_CERT_INFO_EXTENSION *pci =
2052 X509_get_ext_d2i(xs, NID_proxyCertInfo,
2055 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
2057 case NID_Independent:
2058 /* Completely meaningless in this
2059 program, as there's no way to
2060 grant explicit rights to a
2061 specific PrC. Basically, using
2062 id-ppl-Independent is the perfect
2063 way to grant no rights at all. */
2064 fprintf(stderr, " Independent proxy certificate");
2065 for (i = 0; i < 26; i++)
2068 case NID_id_ppl_inheritAll:
2069 /* This is basically a NOP, we
2070 simply let the current rights
2071 stand as they are. */
2072 fprintf(stderr, " Proxy certificate inherits all");
2076 pci->proxyPolicy->policy->data;
2077 i = pci->proxyPolicy->policy->length;
2079 /* The algorithm works as follows:
2080 it is assumed that previous
2081 iterations or the initial granted
2082 rights has already set some elements
2083 of `letters'. What we need to do is
2084 to clear those that weren't granted
2085 by the current PrC as well. The
2086 easiest way to do this is to add 1
2087 to all the elements whose letters
2088 are given with the current policy.
2089 That way, all elements that are set
2090 by the current policy and were
2091 already set by earlier policies and
2092 through the original grant of rights
2093 will get the value 2 or higher.
2094 The last thing to do is to sweep
2095 through `letters' and keep the
2096 elements having the value 2 as set,
2097 and clear all the others. */
2099 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
2103 if (isascii(c) && isalpha(c))
2110 for (i = 0; i < 26; i++)
2119 ", resulting proxy rights = ");
2120 for(i = 0; i < 26; i++)
2123 fprintf(stderr, "%c", i + 'A');
2127 fprintf(stderr, "none");
2128 fprintf(stderr, "\n");
2130 PROXY_CERT_INFO_EXTENSION_free(pci);
2138 static void process_proxy_debug(int indent, const char *format, ...)
2140 static const char indentation[] =
2141 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2142 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2143 char my_format[256];
2146 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2147 indent, indent, indentation, format);
2149 va_start(args, format);
2150 vfprintf(stderr, my_format, args);
2158 static int process_proxy_cond_adders(unsigned int letters[26],
2159 const char *cond, const char **cond_end, int *pos, int indent);
2160 static int process_proxy_cond_val(unsigned int letters[26],
2161 const char *cond, const char **cond_end, int *pos, int indent)
2167 while(isspace((int)*cond))
2174 process_proxy_debug(indent,
2175 "Start process_proxy_cond_val at position %d: %s\n",
2182 while(isspace((int)*cond))
2192 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2197 while(isspace((int)*cond))
2205 "Weird condition character in position %d: "
2212 else if (isascii(c) && isalpha(c))
2216 ok = letters[c - 'A'];
2222 "Weird condition character in position %d: "
2229 if (ok >= 0 && negate)
2233 process_proxy_debug(indent,
2234 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2239 static int process_proxy_cond_multipliers(unsigned int letters[26],
2240 const char *cond, const char **cond_end, int *pos, int indent)
2246 process_proxy_debug(indent,
2247 "Start process_proxy_cond_multipliers at position %d: %s\n",
2250 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2257 while(isspace((int)*cond))
2271 ok = process_proxy_cond_val(letters,
2272 cond, cond_end, pos, indent + 1);
2286 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2300 process_proxy_debug(indent,
2301 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2307 static int process_proxy_cond_adders(unsigned int letters[26],
2308 const char *cond, const char **cond_end, int *pos, int indent)
2314 process_proxy_debug(indent,
2315 "Start process_proxy_cond_adders at position %d: %s\n",
2318 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2326 while(isspace((int)*cond))
2339 ok = process_proxy_cond_multipliers(letters,
2340 cond, cond_end, pos, indent + 1);
2351 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2365 process_proxy_debug(indent,
2366 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2373 static int process_proxy_cond(unsigned int letters[26],
2374 const char *cond, const char **cond_end)
2377 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2380 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2383 struct app_verify_arg *cb_arg = arg;
2384 unsigned int letters[26]; /* only used with proxy_auth */
2386 if (cb_arg->app_verify)
2388 char *s = NULL,buf[256];
2390 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2391 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2392 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2393 (void *)ctx, (void *)ctx->cert);
2395 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2398 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2402 if (cb_arg->proxy_auth)
2404 int found_any = 0, i;
2407 for(i = 0; i < 26; i++)
2409 for(sp = cb_arg->proxy_auth; *sp; sp++)
2412 if (isascii(c) && isalpha(c))
2416 letters[c - 'A'] = 1;
2421 " Initial proxy rights = ");
2422 for(i = 0; i < 26; i++)
2425 fprintf(stderr, "%c", i + 'A');
2429 fprintf(stderr, "none");
2430 fprintf(stderr, "\n");
2432 X509_STORE_CTX_set_ex_data(ctx,
2433 get_proxy_auth_ex_data_idx(),letters);
2435 if (cb_arg->allow_proxy_certs)
2437 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2440 #ifndef OPENSSL_NO_X509_VERIFY
2441 # ifdef OPENSSL_FIPS
2442 if(s->version == TLS1_VERSION)
2445 ok = X509_verify_cert(ctx);
2446 # ifdef OPENSSL_FIPS
2447 if(s->version == TLS1_VERSION)
2452 if (cb_arg->proxy_auth)
2456 const char *cond_end = NULL;
2458 ok = process_proxy_cond(letters,
2459 cb_arg->proxy_cond, &cond_end);
2467 fprintf(stderr, "Stopped processing condition before it's end.\n");
2471 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2472 cb_arg->proxy_cond);
2474 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2475 cb_arg->proxy_cond);
2481 #ifndef OPENSSL_NO_RSA
2482 static RSA *rsa_tmp=NULL;
2484 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2487 if (rsa_tmp == NULL)
2490 rsa_tmp = RSA_new();
2491 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2493 BIO_printf(bio_err, "Memory error...");
2496 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2497 (void)BIO_flush(bio_err);
2498 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2500 BIO_printf(bio_err, "Error generating key.");
2505 BIO_printf(bio_err,"\n");
2506 (void)BIO_flush(bio_err);
2512 static void free_tmp_rsa(void)
2514 if (rsa_tmp != NULL)
2522 #ifndef OPENSSL_NO_DH
2523 /* These DH parameters have been generated as follows:
2524 * $ openssl dhparam -C -noout 512
2525 * $ openssl dhparam -C -noout 1024
2526 * $ openssl dhparam -C -noout -dsaparam 1024
2527 * (The third function has been renamed to avoid name conflicts.)
2529 static DH *get_dh512()
2531 static unsigned char dh512_p[]={
2532 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2533 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2534 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2535 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2536 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2537 0x02,0xC5,0xAE,0x23,
2539 static unsigned char dh512_g[]={
2544 if ((dh=DH_new()) == NULL) return(NULL);
2545 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2546 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2547 if ((dh->p == NULL) || (dh->g == NULL))
2548 { DH_free(dh); return(NULL); }
2552 static DH *get_dh1024()
2554 static unsigned char dh1024_p[]={
2555 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2556 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2557 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2558 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2559 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2560 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2561 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2562 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2563 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2564 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2565 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2567 static unsigned char dh1024_g[]={
2572 if ((dh=DH_new()) == NULL) return(NULL);
2573 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2574 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2575 if ((dh->p == NULL) || (dh->g == NULL))
2576 { DH_free(dh); return(NULL); }
2580 static DH *get_dh1024dsa()
2582 static unsigned char dh1024_p[]={
2583 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2584 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2585 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2586 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2587 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2588 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2589 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2590 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2591 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2592 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2593 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2595 static unsigned char dh1024_g[]={
2596 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2597 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2598 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2599 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2600 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2601 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2602 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2603 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2604 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2605 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2606 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2610 if ((dh=DH_new()) == NULL) return(NULL);
2611 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2612 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2613 if ((dh->p == NULL) || (dh->g == NULL))
2614 { DH_free(dh); return(NULL); }
2619 static int do_test_cipherlist(void)
2622 const SSL_METHOD *meth;
2623 SSL_CIPHER *ci, *tci = NULL;
2625 fprintf(stderr, "testing SSLv2 cipher list order: ");
2626 meth = SSLv2_method();
2627 while ((ci = meth->get_cipher(i++)) != NULL)
2630 if (ci->id >= tci->id)
2632 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2637 fprintf(stderr, "ok\n");
2639 fprintf(stderr, "testing SSLv3 cipher list order: ");
2640 meth = SSLv3_method();
2642 while ((ci = meth->get_cipher(i++)) != NULL)
2645 if (ci->id >= tci->id)
2647 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2652 fprintf(stderr, "ok\n");
2654 fprintf(stderr, "testing TLSv1 cipher list order: ");
2655 meth = TLSv1_method();
2657 while ((ci = meth->get_cipher(i++)) != NULL)
2660 if (ci->id >= tci->id)
2662 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2667 fprintf(stderr, "ok\n");