~ubuntu-branches/ubuntu/vivid/openssl/vivid-updates
» Revision
93
: .pc/CVE-2013-0169.patch/ssl/ssltest.c
« back to all changes in this revision
Viewing changes to .pc/CVE-2013-0169.patch/ssl/ssltest.c
- browse files at revision 93
- compare with another revision
- download diff
- download tarball
- view history from revision 93
- Committer: Package Import Robot
- Author(s): Marc Deslauriers
- Date: 2013-03-19 14:33:14 UTC
- Revision ID: package-import@ubuntu.com-20130319143314-b3hsxjjcin3ebyy0
Tags: 1.0.1c-4ubuntu8
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
- debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
commit from upstream to fix regression.
- CVE-2013-0169
- debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra
commit from upstream to fix regression.
- CVE-2013-0169
- files added:
- .pc/CVE-2013-0169.patch
- .pc/CVE-2013-0169.patch/crypto
- .pc/CVE-2013-0169.patch/crypto/bn
- .pc/CVE-2013-0169.patch/crypto/evp
- .pc/CVE-2013-0169.patch/crypto/rsa
- .pc/CVE-2013-0169.patch/ssl
- .pc/CVE-2013-0169.patch/test
- .pc/CVE-2013-0169.patch/util
- files modified:
- .pc/applied-patches
added
removed
.pc/CVE-2013-0169.patch/ssl/ssltest.c
1
/* ssl/ssltest.c */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
* All rights reserved.
4
*
5
* This package is an SSL implementation written
6
* by Eric Young (eay@cryptsoft.com).
7
* The implementation was written so as to conform with Netscapes SSL.
8
*
9
* This library is free for commercial and non-commercial use as long as
10
* the following conditions are aheared to. The following conditions
11
* apply to all code found in this distribution, be it the RC4, RSA,
12
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13
* included with this distribution is covered by the same copyright terms
14
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
*
16
* Copyright remains Eric Young's, and as such any Copyright notices in
17
* the code are not to be removed.
18
* If this package is used in a product, Eric Young should be given attribution
19
* as the author of the parts of the library used.
20
* This can be in the form of a textual message at program startup or
21
* in documentation (online or textual) provided with the package.
22
*
23
* Redistribution and use in source and binary forms, with or without
24
* modification, are permitted provided that the following conditions
25
* are met:
26
* 1. Redistributions of source code must retain the copyright
27
* notice, this list of conditions and the following disclaimer.
28
* 2. Redistributions in binary form must reproduce the above copyright
29
* notice, this list of conditions and the following disclaimer in the
30
* documentation and/or other materials provided with the distribution.
31
* 3. All advertising materials mentioning features or use of this software
32
* must display the following acknowledgement:
33
* "This product includes cryptographic software written by
34
* Eric Young (eay@cryptsoft.com)"
35
* The word 'cryptographic' can be left out if the rouines from the library
36
* being used are not cryptographic related :-).
37
* 4. If you include any Windows specific code (or a derivative thereof) from
38
* the apps directory (application code) you must include an acknowledgement:
39
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
*
41
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
* SUCH DAMAGE.
52
*
53
* The licence and distribution terms for any publically available version or
54
* derivative of this code cannot be changed. i.e. this code cannot simply be
55
* copied and put under another distribution licence
56
* [including the GNU Public Licence.]
57
*/
58
/* ====================================================================
59
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60
*
61
* Redistribution and use in source and binary forms, with or without
62
* modification, are permitted provided that the following conditions
63
* are met:
64
*
65
* 1. Redistributions of source code must retain the above copyright
66
* notice, this list of conditions and the following disclaimer.
67
*
68
* 2. Redistributions in binary form must reproduce the above copyright
69
* notice, this list of conditions and the following disclaimer in
70
* the documentation and/or other materials provided with the
71
* distribution.
72
*
73
* 3. All advertising materials mentioning features or use of this
74
* software must display the following acknowledgment:
75
* "This product includes software developed by the OpenSSL Project
76
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77
*
78
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79
* endorse or promote products derived from this software without
80
* prior written permission. For written permission, please contact
81
* openssl-core@openssl.org.
82
*
83
* 5. Products derived from this software may not be called "OpenSSL"
84
* nor may "OpenSSL" appear in their names without prior written
85
* permission of the OpenSSL Project.
86
*
87
* 6. Redistributions of any form whatsoever must retain the following
88
* acknowledgment:
89
* "This product includes software developed by the OpenSSL Project
90
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91
*
92
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103
* OF THE POSSIBILITY OF SUCH DAMAGE.
104
* ====================================================================
105
*
106
* This product includes cryptographic software written by Eric Young
107
* (eay@cryptsoft.com). This product includes software written by Tim
108
* Hudson (tjh@cryptsoft.com).
109
*
110
*/
111
/* ====================================================================
112
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113
* ECC cipher suite support in OpenSSL originally developed by
114
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115
*/
116
/* ====================================================================
117
* Copyright 2005 Nokia. All rights reserved.
118
*
119
* The portions of the attached software ("Contribution") is developed by
120
* Nokia Corporation and is licensed pursuant to the OpenSSL open source
121
* license.
122
*
123
* The Contribution, originally written by Mika Kousa and Pasi Eronen of
124
* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125
* support (see RFC 4279) to OpenSSL.
126
*
127
* No patent licenses or other rights except those expressly stated in
128
* the OpenSSL open source license shall be deemed granted or received
129
* expressly, by implication, estoppel, or otherwise.
130
*
131
* No assurances are provided by Nokia that the Contribution does not
132
* infringe the patent or other intellectual property rights of any third
133
* party or that the license provides you with all the necessary rights
134
* to make use of the Contribution.
135
*
136
* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137
* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138
* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140
* OTHERWISE.
141
*/
142
143
#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144
on Linux and GNU platforms. */
145
146
#include <assert.h>
147
#include <errno.h>
148
#include <limits.h>
149
#include <stdio.h>
150
#include <stdlib.h>
151
#include <string.h>
152
#include <time.h>
153
154
#define USE_SOCKETS
155
#include "e_os.h"
156
157
#ifdef OPENSSL_SYS_VMS
158
#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159
VMS (at least with DECompHP C). */
160
#endif
161
162
#include <ctype.h>
163
164
#include <openssl/bio.h>
165
#include <openssl/crypto.h>
166
#include <openssl/evp.h>
167
#include <openssl/x509.h>
168
#include <openssl/x509v3.h>
169
#include <openssl/ssl.h>
170
#ifndef OPENSSL_NO_ENGINE
171
#include <openssl/engine.h>
172
#endif
173
#include <openssl/err.h>
174
#include <openssl/rand.h>
175
#ifndef OPENSSL_NO_RSA
176
#include <openssl/rsa.h>
177
#endif
178
#ifndef OPENSSL_NO_DSA
179
#include <openssl/dsa.h>
180
#endif
181
#ifndef OPENSSL_NO_DH
182
#include <openssl/dh.h>
183
#endif
184
#ifndef OPENSSL_NO_SRP
185
#include <openssl/srp.h>
186
#endif
187
#include <openssl/bn.h>
188
189
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
190
on Compaq platforms (at least with DEC C).
191
Do not try to put it earlier, or IPv6 includes
192
get screwed...
193
*/
194
195
#ifdef OPENSSL_SYS_WINDOWS
196
#include <winsock.h>
197
#else
198
#include OPENSSL_UNISTD
199
#endif
200
201
#ifdef OPENSSL_SYS_VMS
202
# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203
# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
204
#elif defined(OPENSSL_SYS_WINCE)
205
# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206
# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
207
#elif defined(OPENSSL_SYS_NETWARE)
208
# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209
# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
210
#else
211
# define TEST_SERVER_CERT "../apps/server.pem"
212
# define TEST_CLIENT_CERT "../apps/client.pem"
213
#endif
214
215
/* There is really no standard for this, so let's assign some tentative
216
numbers. In any case, these numbers are only for this test */
217
#define COMP_RLE 255
218
#define COMP_ZLIB 1
219
220
static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
221
#ifndef OPENSSL_NO_RSA
222
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
223
static void free_tmp_rsa(void);
224
#endif
225
static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
226
#define APP_CALLBACK_STRING "Test Callback Argument"
227
struct app_verify_arg
228
{
229
char *string;
230
int app_verify;
231
int allow_proxy_certs;
232
char *proxy_auth;
233
char *proxy_cond;
234
};
235
236
#ifndef OPENSSL_NO_DH
237
static DH *get_dh512(void);
238
static DH *get_dh1024(void);
239
static DH *get_dh1024dsa(void);
240
#endif
241
242
243
static char *psk_key=NULL; /* by default PSK is not used */
244
#ifndef OPENSSL_NO_PSK
245
static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
246
unsigned int max_identity_len, unsigned char *psk,
247
unsigned int max_psk_len);
248
static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249
unsigned int max_psk_len);
250
#endif
251
252
#ifndef OPENSSL_NO_SRP
253
/* SRP client */
254
/* This is a context that we pass to all callbacks */
255
typedef struct srp_client_arg_st
256
{
257
char *srppassin;
258
char *srplogin;
259
} SRP_CLIENT_ARG;
260
261
#define PWD_STRLEN 1024
262
263
static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
264
{
265
SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266
return BUF_strdup((char *)srp_client_arg->srppassin);
267
}
268
269
/* SRP server */
270
/* This is a context that we pass to SRP server callbacks */
271
typedef struct srp_server_arg_st
272
{
273
char *expected_user;
274
char *pass;
275
} SRP_SERVER_ARG;
276
277
static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
278
{
279
SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281
if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282
{
283
fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284
return SSL3_AL_FATAL;
285
}
286
if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287
{
288
*ad = SSL_AD_INTERNAL_ERROR;
289
return SSL3_AL_FATAL;
290
}
291
return SSL_ERROR_NONE;
292
}
293
#endif
294
295
static BIO *bio_err=NULL;
296
static BIO *bio_stdout=NULL;
297
298
static char *cipher=NULL;
299
static int verbose=0;
300
static int debug=0;
301
#if 0
302
/* Not used yet. */
303
#ifdef FIONBIO
304
static int s_nbio=0;
305
#endif
306
#endif
307
308
static const char rnd_seed[] = "string to make the random number generator think it has entropy";
309
310
int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
311
int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
312
static int do_test_cipherlist(void);
313
static void sv_usage(void)
314
{
315
fprintf(stderr,"usage: ssltest [args ...]\n");
316
fprintf(stderr,"\n");
317
#ifdef OPENSSL_FIPS
318
fprintf(stderr,"-F - run test in FIPS mode\n");
319
#endif
320
fprintf(stderr," -server_auth - check server certificate\n");
321
fprintf(stderr," -client_auth - do client authentication\n");
322
fprintf(stderr," -proxy - allow proxy certificates\n");
323
fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
324
fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
325
fprintf(stderr," -v - more output\n");
326
fprintf(stderr," -d - debug output\n");
327
fprintf(stderr," -reuse - use session-id reuse\n");
328
fprintf(stderr," -num <val> - number of connections to perform\n");
329
fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
330
#ifndef OPENSSL_NO_DH
331
fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
332
fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
333
fprintf(stderr," -no_dhe - disable DHE\n");
334
#endif
335
#ifndef OPENSSL_NO_ECDH
336
fprintf(stderr," -no_ecdhe - disable ECDHE\n");
337
#endif
338
#ifndef OPENSSL_NO_PSK
339
fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
340
#endif
341
#ifndef OPENSSL_NO_SRP
342
fprintf(stderr," -srpuser user - SRP username to use\n");
343
fprintf(stderr," -srppass arg - password for 'user'\n");
344
#endif
345
#ifndef OPENSSL_NO_SSL2
346
fprintf(stderr," -ssl2 - use SSLv2\n");
347
#endif
348
#ifndef OPENSSL_NO_SSL3
349
fprintf(stderr," -ssl3 - use SSLv3\n");
350
#endif
351
#ifndef OPENSSL_NO_TLS1
352
fprintf(stderr," -tls1 - use TLSv1\n");
353
#endif
354
fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
355
fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
356
fprintf(stderr," -cert arg - Server certificate file\n");
357
fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
358
fprintf(stderr," -c_cert arg - Client certificate file\n");
359
fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
360
fprintf(stderr," -cipher arg - The cipher list\n");
361
fprintf(stderr," -bio_pair - Use BIO pairs\n");
362
fprintf(stderr," -f - Test even cases that can't work\n");
363
fprintf(stderr," -time - measure processor time used by client and server\n");
364
fprintf(stderr," -zlib - use zlib compression\n");
365
fprintf(stderr," -rle - use rle compression\n");
366
#ifndef OPENSSL_NO_ECDH
367
fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
368
" Use \"openssl ecparam -list_curves\" for all names\n" \
369
" (default is sect163r2).\n");
370
#endif
371
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
372
}
373
374
static void print_details(SSL *c_ssl, const char *prefix)
375
{
376
const SSL_CIPHER *ciph;
377
X509 *cert;
378
379
ciph=SSL_get_current_cipher(c_ssl);
380
BIO_printf(bio_stdout,"%s%s, cipher %s %s",
381
prefix,
382
SSL_get_version(c_ssl),
383
SSL_CIPHER_get_version(ciph),
384
SSL_CIPHER_get_name(ciph));
385
cert=SSL_get_peer_certificate(c_ssl);
386
if (cert != NULL)
387
{
388
EVP_PKEY *pkey = X509_get_pubkey(cert);
389
if (pkey != NULL)
390
{
391
if (0)
392
;
393
#ifndef OPENSSL_NO_RSA
394
else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
395
&& pkey->pkey.rsa->n != NULL)
396
{
397
BIO_printf(bio_stdout, ", %d bit RSA",
398
BN_num_bits(pkey->pkey.rsa->n));
399
}
400
#endif
401
#ifndef OPENSSL_NO_DSA
402
else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
403
&& pkey->pkey.dsa->p != NULL)
404
{
405
BIO_printf(bio_stdout, ", %d bit DSA",
406
BN_num_bits(pkey->pkey.dsa->p));
407
}
408
#endif
409
EVP_PKEY_free(pkey);
410
}
411
X509_free(cert);
412
}
413
/* The SSL API does not allow us to look at temporary RSA/DH keys,
414
* otherwise we should print their lengths too */
415
BIO_printf(bio_stdout,"\n");
416
}
417
418
static void lock_dbg_cb(int mode, int type, const char *file, int line)
419
{
420
static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
421
const char *errstr = NULL;
422
int rw;
423
424
rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
425
if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
426
{
427
errstr = "invalid mode";
428
goto err;
429
}
430
431
if (type < 0 || type >= CRYPTO_NUM_LOCKS)
432
{
433
errstr = "type out of bounds";
434
goto err;
435
}
436
437
if (mode & CRYPTO_LOCK)
438
{
439
if (modes[type])
440
{
441
errstr = "already locked";
442
/* must not happen in a single-threaded program
443
* (would deadlock) */
444
goto err;
445
}
446
447
modes[type] = rw;
448
}
449
else if (mode & CRYPTO_UNLOCK)
450
{
451
if (!modes[type])
452
{
453
errstr = "not locked";
454
goto err;
455
}
456
457
if (modes[type] != rw)
458
{
459
errstr = (rw == CRYPTO_READ) ?
460
"CRYPTO_r_unlock on write lock" :
461
"CRYPTO_w_unlock on read lock";
462
}
463
464
modes[type] = 0;
465
}
466
else
467
{
468
errstr = "invalid mode";
469
goto err;
470
}
471
472
err:
473
if (errstr)
474
{
475
/* we cannot use bio_err here */
476
fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
477
errstr, mode, type, file, line);
478
}
479
}
480
481
#ifdef TLSEXT_TYPE_opaque_prf_input
482
struct cb_info_st { void *input; size_t len; int ret; };
483
struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
484
struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
485
struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
486
struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
487
488
int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
489
{
490
struct cb_info_st *arg = arg_;
491
492
if (arg == NULL)
493
return 1;
494
495
if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
496
return 0;
497
return arg->ret;
498
}
499
#endif
500
501
int main(int argc, char *argv[])
502
{
503
char *CApath=NULL,*CAfile=NULL;
504
int badop=0;
505
int bio_pair=0;
506
int force=0;
507
int tls1=0,ssl2=0,ssl3=0,ret=1;
508
int client_auth=0;
509
int server_auth=0,i;
510
struct app_verify_arg app_verify_arg =
511
{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
512
char *server_cert=TEST_SERVER_CERT;
513
char *server_key=NULL;
514
char *client_cert=TEST_CLIENT_CERT;
515
char *client_key=NULL;
516
#ifndef OPENSSL_NO_ECDH
517
char *named_curve = NULL;
518
#endif
519
SSL_CTX *s_ctx=NULL;
520
SSL_CTX *c_ctx=NULL;
521
const SSL_METHOD *meth=NULL;
522
SSL *c_ssl,*s_ssl;
523
int number=1,reuse=0;
524
long bytes=256L;
525
#ifndef OPENSSL_NO_DH
526
DH *dh;
527
int dhe1024 = 0, dhe1024dsa = 0;
528
#endif
529
#ifndef OPENSSL_NO_ECDH
530
EC_KEY *ecdh = NULL;
531
#endif
532
#ifndef OPENSSL_NO_SRP
533
/* client */
534
SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
535
/* server */
536
SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
537
#endif
538
int no_dhe = 0;
539
int no_ecdhe = 0;
540
int no_psk = 0;
541
int print_time = 0;
542
clock_t s_time = 0, c_time = 0;
543
int comp = 0;
544
#ifndef OPENSSL_NO_COMP
545
COMP_METHOD *cm = NULL;
546
#endif
547
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
548
int test_cipherlist = 0;
549
#ifdef OPENSSL_FIPS
550
int fips_mode=0;
551
#endif
552
553
verbose = 0;
554
debug = 0;
555
cipher = 0;
556
557
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
558
559
CRYPTO_set_locking_callback(lock_dbg_cb);
560
561
/* enable memory leak checking unless explicitly disabled */
562
if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
563
{
564
CRYPTO_malloc_debug_init();
565
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
566
}
567
else
568
{
569
/* OPENSSL_DEBUG_MEMORY=off */
570
CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
571
}
572
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
573
574
RAND_seed(rnd_seed, sizeof rnd_seed);
575
576
bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
577
578
argc--;
579
argv++;
580
581
while (argc >= 1)
582
{
583
if(!strcmp(*argv,"-F"))
584
{
585
#ifdef OPENSSL_FIPS
586
fips_mode=1;
587
#else
588
fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
589
EXIT(0);
590
#endif
591
}
592
else if (strcmp(*argv,"-server_auth") == 0)
593
server_auth=1;
594
else if (strcmp(*argv,"-client_auth") == 0)
595
client_auth=1;
596
else if (strcmp(*argv,"-proxy_auth") == 0)
597
{
598
if (--argc < 1) goto bad;
599
app_verify_arg.proxy_auth= *(++argv);
600
}
601
else if (strcmp(*argv,"-proxy_cond") == 0)
602
{
603
if (--argc < 1) goto bad;
604
app_verify_arg.proxy_cond= *(++argv);
605
}
606
else if (strcmp(*argv,"-v") == 0)
607
verbose=1;
608
else if (strcmp(*argv,"-d") == 0)
609
debug=1;
610
else if (strcmp(*argv,"-reuse") == 0)
611
reuse=1;
612
else if (strcmp(*argv,"-dhe1024") == 0)
613
{
614
#ifndef OPENSSL_NO_DH
615
dhe1024=1;
616
#else
617
fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
618
#endif
619
}
620
else if (strcmp(*argv,"-dhe1024dsa") == 0)
621
{
622
#ifndef OPENSSL_NO_DH
623
dhe1024dsa=1;
624
#else
625
fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
626
#endif
627
}
628
else if (strcmp(*argv,"-no_dhe") == 0)
629
no_dhe=1;
630
else if (strcmp(*argv,"-no_ecdhe") == 0)
631
no_ecdhe=1;
632
else if (strcmp(*argv,"-psk") == 0)
633
{
634
if (--argc < 1) goto bad;
635
psk_key=*(++argv);
636
#ifndef OPENSSL_NO_PSK
637
if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
638
{
639
BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
640
goto bad;
641
}
642
#else
643
no_psk=1;
644
#endif
645
}
646
#ifndef OPENSSL_NO_SRP
647
else if (strcmp(*argv,"-srpuser") == 0)
648
{
649
if (--argc < 1) goto bad;
650
srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
651
tls1=1;
652
}
653
else if (strcmp(*argv,"-srppass") == 0)
654
{
655
if (--argc < 1) goto bad;
656
srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
657
tls1=1;
658
}
659
#endif
660
else if (strcmp(*argv,"-ssl2") == 0)
661
ssl2=1;
662
else if (strcmp(*argv,"-tls1") == 0)
663
tls1=1;
664
else if (strcmp(*argv,"-ssl3") == 0)
665
ssl3=1;
666
else if (strncmp(*argv,"-num",4) == 0)
667
{
668
if (--argc < 1) goto bad;
669
number= atoi(*(++argv));
670
if (number == 0) number=1;
671
}
672
else if (strcmp(*argv,"-bytes") == 0)
673
{
674
if (--argc < 1) goto bad;
675
bytes= atol(*(++argv));
676
if (bytes == 0L) bytes=1L;
677
i=strlen(argv[0]);
678
if (argv[0][i-1] == 'k') bytes*=1024L;
679
if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
680
}
681
else if (strcmp(*argv,"-cert") == 0)
682
{
683
if (--argc < 1) goto bad;
684
server_cert= *(++argv);
685
}
686
else if (strcmp(*argv,"-s_cert") == 0)
687
{
688
if (--argc < 1) goto bad;
689
server_cert= *(++argv);
690
}
691
else if (strcmp(*argv,"-key") == 0)
692
{
693
if (--argc < 1) goto bad;
694
server_key= *(++argv);
695
}
696
else if (strcmp(*argv,"-s_key") == 0)
697
{
698
if (--argc < 1) goto bad;
699
server_key= *(++argv);
700
}
701
else if (strcmp(*argv,"-c_cert") == 0)
702
{
703
if (--argc < 1) goto bad;
704
client_cert= *(++argv);
705
}
706
else if (strcmp(*argv,"-c_key") == 0)
707
{
708
if (--argc < 1) goto bad;
709
client_key= *(++argv);
710
}
711
else if (strcmp(*argv,"-cipher") == 0)
712
{
713
if (--argc < 1) goto bad;
714
cipher= *(++argv);
715
}
716
else if (strcmp(*argv,"-CApath") == 0)
717
{
718
if (--argc < 1) goto bad;
719
CApath= *(++argv);
720
}
721
else if (strcmp(*argv,"-CAfile") == 0)
722
{
723
if (--argc < 1) goto bad;
724
CAfile= *(++argv);
725
}
726
else if (strcmp(*argv,"-bio_pair") == 0)
727
{
728
bio_pair = 1;
729
}
730
else if (strcmp(*argv,"-f") == 0)
731
{
732
force = 1;
733
}
734
else if (strcmp(*argv,"-time") == 0)
735
{
736
print_time = 1;
737
}
738
else if (strcmp(*argv,"-zlib") == 0)
739
{
740
comp = COMP_ZLIB;
741
}
742
else if (strcmp(*argv,"-rle") == 0)
743
{
744
comp = COMP_RLE;
745
}
746
else if (strcmp(*argv,"-named_curve") == 0)
747
{
748
if (--argc < 1) goto bad;
749
#ifndef OPENSSL_NO_ECDH
750
named_curve = *(++argv);
751
#else
752
fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
753
++argv;
754
#endif
755
}
756
else if (strcmp(*argv,"-app_verify") == 0)
757
{
758
app_verify_arg.app_verify = 1;
759
}
760
else if (strcmp(*argv,"-proxy") == 0)
761
{
762
app_verify_arg.allow_proxy_certs = 1;
763
}
764
else if (strcmp(*argv,"-test_cipherlist") == 0)
765
{
766
test_cipherlist = 1;
767
}
768
else
769
{
770
fprintf(stderr,"unknown option %s\n",*argv);
771
badop=1;
772
break;
773
}
774
argc--;
775
argv++;
776
}
777
if (badop)
778
{
779
bad:
780
sv_usage();
781
goto end;
782
}
783
784
if (test_cipherlist == 1)
785
{
786
/* ensure that the cipher list are correctly sorted and exit */
787
if (do_test_cipherlist() == 0)
788
EXIT(1);
789
ret = 0;
790
goto end;
791
}
792
793
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
794
{
795
fprintf(stderr, "This case cannot work. Use -f to perform "
796
"the test anyway (and\n-d to see what happens), "
797
"or add one of -ssl2, -ssl3, -tls1, -reuse\n"
798
"to avoid protocol mismatch.\n");
799
EXIT(1);
800
}
801
802
#ifdef OPENSSL_FIPS
803
if(fips_mode)
804
{
805
if(!FIPS_mode_set(1))
806
{
807
ERR_load_crypto_strings();
808
ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
809
EXIT(1);
810
}
811
else
812
fprintf(stderr,"*** IN FIPS MODE ***\n");
813
}
814
#endif
815
816
if (print_time)
817
{
818
if (!bio_pair)
819
{
820
fprintf(stderr, "Using BIO pair (-bio_pair)\n");
821
bio_pair = 1;
822
}
823
if (number < 50 && !force)
824
fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
825
}
826
827
/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
828
829
SSL_library_init();
830
SSL_load_error_strings();
831
832
#ifndef OPENSSL_NO_COMP
833
if (comp == COMP_ZLIB) cm = COMP_zlib();
834
if (comp == COMP_RLE) cm = COMP_rle();
835
if (cm != NULL)
836
{
837
if (cm->type != NID_undef)
838
{
839
if (SSL_COMP_add_compression_method(comp, cm) != 0)
840
{
841
fprintf(stderr,
842
"Failed to add compression method\n");
843
ERR_print_errors_fp(stderr);
844
}
845
}
846
else
847
{
848
fprintf(stderr,
849
"Warning: %s compression not supported\n",
850
(comp == COMP_RLE ? "rle" :
851
(comp == COMP_ZLIB ? "zlib" :
852
"unknown")));
853
ERR_print_errors_fp(stderr);
854
}
855
}
856
ssl_comp_methods = SSL_COMP_get_compression_methods();
857
fprintf(stderr, "Available compression methods:\n");
858
{
859
int j, n = sk_SSL_COMP_num(ssl_comp_methods);
860
if (n == 0)
861
fprintf(stderr, " NONE\n");
862
else
863
for (j = 0; j < n; j++)
864
{
865
SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
866
fprintf(stderr, " %d: %s\n", c->id, c->name);
867
}
868
}
869
#endif
870
871
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
872
if (ssl2)
873
meth=SSLv2_method();
874
else
875
if (tls1)
876
meth=TLSv1_method();
877
else
878
if (ssl3)
879
meth=SSLv3_method();
880
else
881
meth=SSLv23_method();
882
#else
883
#ifdef OPENSSL_NO_SSL2
884
meth=SSLv3_method();
885
#else
886
meth=SSLv2_method();
887
#endif
888
#endif
889
890
c_ctx=SSL_CTX_new(meth);
891
s_ctx=SSL_CTX_new(meth);
892
if ((c_ctx == NULL) || (s_ctx == NULL))
893
{
894
ERR_print_errors(bio_err);
895
goto end;
896
}
897
898
if (cipher != NULL)
899
{
900
SSL_CTX_set_cipher_list(c_ctx,cipher);
901
SSL_CTX_set_cipher_list(s_ctx,cipher);
902
}
903
904
#ifndef OPENSSL_NO_DH
905
if (!no_dhe)
906
{
907
if (dhe1024dsa)
908
{
909
/* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
910
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
911
dh=get_dh1024dsa();
912
}
913
else if (dhe1024)
914
dh=get_dh1024();
915
else
916
dh=get_dh512();
917
SSL_CTX_set_tmp_dh(s_ctx,dh);
918
DH_free(dh);
919
}
920
#else
921
(void)no_dhe;
922
#endif
923
924
#ifndef OPENSSL_NO_ECDH
925
if (!no_ecdhe)
926
{
927
int nid;
928
929
if (named_curve != NULL)
930
{
931
nid = OBJ_sn2nid(named_curve);
932
if (nid == 0)
933
{
934
BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
935
goto end;
936
}
937
}
938
else
939
#ifdef OPENSSL_NO_EC2M
940
nid = NID_X9_62_prime256v1;
941
#else
942
nid = NID_sect163r2;
943
#endif
944
945
ecdh = EC_KEY_new_by_curve_name(nid);
946
if (ecdh == NULL)
947
{
948
BIO_printf(bio_err, "unable to create curve\n");
949
goto end;
950
}
951
952
SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
953
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
954
EC_KEY_free(ecdh);
955
}
956
#else
957
(void)no_ecdhe;
958
#endif
959
960
#ifndef OPENSSL_NO_RSA
961
SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
962
#endif
963
964
#ifdef TLSEXT_TYPE_opaque_prf_input
965
SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
966
SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
967
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
968
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
969
#endif
970
971
if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
972
{
973
ERR_print_errors(bio_err);
974
}
975
else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
976
(server_key?server_key:server_cert), SSL_FILETYPE_PEM))
977
{
978
ERR_print_errors(bio_err);
979
goto end;
980
}
981
982
if (client_auth)
983
{
984
SSL_CTX_use_certificate_file(c_ctx,client_cert,
985
SSL_FILETYPE_PEM);
986
SSL_CTX_use_PrivateKey_file(c_ctx,
987
(client_key?client_key:client_cert),
988
SSL_FILETYPE_PEM);
989
}
990
991
if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
992
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
993
(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
994
(!SSL_CTX_set_default_verify_paths(c_ctx)))
995
{
996
/* fprintf(stderr,"SSL_load_verify_locations\n"); */
997
ERR_print_errors(bio_err);
998
/* goto end; */
999
}
1000
1001
if (client_auth)
1002
{
1003
BIO_printf(bio_err,"client authentication\n");
1004
SSL_CTX_set_verify(s_ctx,
1005
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1006
verify_callback);
1007
SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1008
}
1009
if (server_auth)
1010
{
1011
BIO_printf(bio_err,"server authentication\n");
1012
SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1013
verify_callback);
1014
SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1015
}
1016
1017
{
1018
int session_id_context = 0;
1019
SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1020
}
1021
1022
/* Use PSK only if PSK key is given */
1023
if (psk_key != NULL)
1024
{
1025
/* no_psk is used to avoid putting psk command to openssl tool */
1026
if (no_psk)
1027
{
1028
/* if PSK is not compiled in and psk key is
1029
* given, do nothing and exit successfully */
1030
ret=0;
1031
goto end;
1032
}
1033
#ifndef OPENSSL_NO_PSK
1034
SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1035
SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1036
if (debug)
1037
BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1038
if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1039
{
1040
BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1041
ERR_print_errors(bio_err);
1042
goto end;
1043
}
1044
#endif
1045
}
1046
#ifndef OPENSSL_NO_SRP
1047
if (srp_client_arg.srplogin)
1048
{
1049
if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1050
{
1051
BIO_printf(bio_err,"Unable to set SRP username\n");
1052
goto end;
1053
}
1054
SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1055
SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1056
/*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1057
}
1058
1059
if (srp_server_arg.expected_user != NULL)
1060
{
1061
SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1062
SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1063
SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1064
}
1065
#endif
1066
1067
c_ssl=SSL_new(c_ctx);
1068
s_ssl=SSL_new(s_ctx);
1069
1070
#ifndef OPENSSL_NO_KRB5
1071
if (c_ssl && c_ssl->kssl_ctx)
1072
{
1073
char localhost[MAXHOSTNAMELEN+2];
1074
1075
if (gethostname(localhost, sizeof localhost-1) == 0)
1076
{
1077
localhost[sizeof localhost-1]='\0';
1078
if(strlen(localhost) == sizeof localhost-1)
1079
{
1080
BIO_printf(bio_err,"localhost name too long\n");
1081
goto end;
1082
}
1083
kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1084
localhost);
1085
}
1086
}
1087
#endif /* OPENSSL_NO_KRB5 */
1088
1089
for (i=0; i<number; i++)
1090
{
1091
if (!reuse) SSL_set_session(c_ssl,NULL);
1092
if (bio_pair)
1093
ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1094
else
1095
ret=doit(s_ssl,c_ssl,bytes);
1096
}
1097
1098
if (!verbose)
1099
{
1100
print_details(c_ssl, "");
1101
}
1102
if ((number > 1) || (bytes > 1L))
1103
BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1104
if (print_time)
1105
{
1106
#ifdef CLOCKS_PER_SEC
1107
/* "To determine the time in seconds, the value returned
1108
* by the clock function should be divided by the value
1109
* of the macro CLOCKS_PER_SEC."
1110
* -- ISO/IEC 9899 */
1111
BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1112
"Approximate total client time: %6.2f s\n",
1113
(double)s_time/CLOCKS_PER_SEC,
1114
(double)c_time/CLOCKS_PER_SEC);
1115
#else
1116
/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1117
* -- cc on NeXTstep/OpenStep */
1118
BIO_printf(bio_stdout,
1119
"Approximate total server time: %6.2f units\n"
1120
"Approximate total client time: %6.2f units\n",
1121
(double)s_time,
1122
(double)c_time);
1123
#endif
1124
}
1125
1126
SSL_free(s_ssl);
1127
SSL_free(c_ssl);
1128
1129
end:
1130
if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1131
if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1132
1133
if (bio_stdout != NULL) BIO_free(bio_stdout);
1134
1135
#ifndef OPENSSL_NO_RSA
1136
free_tmp_rsa();
1137
#endif
1138
#ifndef OPENSSL_NO_ENGINE
1139
ENGINE_cleanup();
1140
#endif
1141
CRYPTO_cleanup_all_ex_data();
1142
ERR_free_strings();
1143
ERR_remove_thread_state(NULL);
1144
EVP_cleanup();
1145
CRYPTO_mem_leaks(bio_err);
1146
if (bio_err != NULL) BIO_free(bio_err);
1147
EXIT(ret);
1148
return ret;
1149
}
1150
1151
int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1152
clock_t *s_time, clock_t *c_time)
1153
{
1154
long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1155
BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1156
BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1157
int ret = 1;
1158
1159
size_t bufsiz = 256; /* small buffer for testing */
1160
1161
if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1162
goto err;
1163
if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1164
goto err;
1165
1166
s_ssl_bio = BIO_new(BIO_f_ssl());
1167
if (!s_ssl_bio)
1168
goto err;
1169
1170
c_ssl_bio = BIO_new(BIO_f_ssl());
1171
if (!c_ssl_bio)
1172
goto err;
1173
1174
SSL_set_connect_state(c_ssl);
1175
SSL_set_bio(c_ssl, client, client);
1176
(void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1177
1178
SSL_set_accept_state(s_ssl);
1179
SSL_set_bio(s_ssl, server, server);
1180
(void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1181
1182
do
1183
{
1184
/* c_ssl_bio: SSL filter BIO
1185
*
1186
* client: pseudo-I/O for SSL library
1187
*
1188
* client_io: client's SSL communication; usually to be
1189
* relayed over some I/O facility, but in this
1190
* test program, we're the server, too:
1191
*
1192
* server_io: server's SSL communication
1193
*
1194
* server: pseudo-I/O for SSL library
1195
*
1196
* s_ssl_bio: SSL filter BIO
1197
*
1198
* The client and the server each employ a "BIO pair":
1199
* client + client_io, server + server_io.
1200
* BIO pairs are symmetric. A BIO pair behaves similar
1201
* to a non-blocking socketpair (but both endpoints must
1202
* be handled by the same thread).
1203
* [Here we could connect client and server to the ends
1204
* of a single BIO pair, but then this code would be less
1205
* suitable as an example for BIO pairs in general.]
1206
*
1207
* Useful functions for querying the state of BIO pair endpoints:
1208
*
1209
* BIO_ctrl_pending(bio) number of bytes we can read now
1210
* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1211
* other side's read attempt
1212
* BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1213
*
1214
* ..._read_request is never more than ..._write_guarantee;
1215
* it depends on the application which one you should use.
1216
*/
1217
1218
/* We have non-blocking behaviour throughout this test program, but
1219
* can be sure that there is *some* progress in each iteration; so
1220
* we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1221
* -- we just try everything in each iteration
1222
*/
1223
1224
{
1225
/* CLIENT */
1226
1227
MS_STATIC char cbuf[1024*8];
1228
int i, r;
1229
clock_t c_clock = clock();
1230
1231
memset(cbuf, 0, sizeof(cbuf));
1232
1233
if (debug)
1234
if (SSL_in_init(c_ssl))
1235
printf("client waiting in SSL_connect - %s\n",
1236
SSL_state_string_long(c_ssl));
1237
1238
if (cw_num > 0)
1239
{
1240
/* Write to server. */
1241
1242
if (cw_num > (long)sizeof cbuf)
1243
i = sizeof cbuf;
1244
else
1245
i = (int)cw_num;
1246
r = BIO_write(c_ssl_bio, cbuf, i);
1247
if (r < 0)
1248
{
1249
if (!BIO_should_retry(c_ssl_bio))
1250
{
1251
fprintf(stderr,"ERROR in CLIENT\n");
1252
goto err;
1253
}
1254
/* BIO_should_retry(...) can just be ignored here.
1255
* The library expects us to call BIO_write with
1256
* the same arguments again, and that's what we will
1257
* do in the next iteration. */
1258
}
1259
else if (r == 0)
1260
{
1261
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1262
goto err;
1263
}
1264
else
1265
{
1266
if (debug)
1267
printf("client wrote %d\n", r);
1268
cw_num -= r;
1269
}
1270
}
1271
1272
if (cr_num > 0)
1273
{
1274
/* Read from server. */
1275
1276
r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1277
if (r < 0)
1278
{
1279
if (!BIO_should_retry(c_ssl_bio))
1280
{
1281
fprintf(stderr,"ERROR in CLIENT\n");
1282
goto err;
1283
}
1284
/* Again, "BIO_should_retry" can be ignored. */
1285
}
1286
else if (r == 0)
1287
{
1288
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1289
goto err;
1290
}
1291
else
1292
{
1293
if (debug)
1294
printf("client read %d\n", r);
1295
cr_num -= r;
1296
}
1297
}
1298
1299
/* c_time and s_time increments will typically be very small
1300
* (depending on machine speed and clock tick intervals),
1301
* but sampling over a large number of connections should
1302
* result in fairly accurate figures. We cannot guarantee
1303
* a lot, however -- if each connection lasts for exactly
1304
* one clock tick, it will be counted only for the client
1305
* or only for the server or even not at all.
1306
*/
1307
*c_time += (clock() - c_clock);
1308
}
1309
1310
{
1311
/* SERVER */
1312
1313
MS_STATIC char sbuf[1024*8];
1314
int i, r;
1315
clock_t s_clock = clock();
1316
1317
memset(sbuf, 0, sizeof(sbuf));
1318
1319
if (debug)
1320
if (SSL_in_init(s_ssl))
1321
printf("server waiting in SSL_accept - %s\n",
1322
SSL_state_string_long(s_ssl));
1323
1324
if (sw_num > 0)
1325
{
1326
/* Write to client. */
1327
1328
if (sw_num > (long)sizeof sbuf)
1329
i = sizeof sbuf;
1330
else
1331
i = (int)sw_num;
1332
r = BIO_write(s_ssl_bio, sbuf, i);
1333
if (r < 0)
1334
{
1335
if (!BIO_should_retry(s_ssl_bio))
1336
{
1337
fprintf(stderr,"ERROR in SERVER\n");
1338
goto err;
1339
}
1340
/* Ignore "BIO_should_retry". */
1341
}
1342
else if (r == 0)
1343
{
1344
fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1345
goto err;
1346
}
1347
else
1348
{
1349
if (debug)
1350
printf("server wrote %d\n", r);
1351
sw_num -= r;
1352
}
1353
}
1354
1355
if (sr_num > 0)
1356
{
1357
/* Read from client. */
1358
1359
r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1360
if (r < 0)
1361
{
1362
if (!BIO_should_retry(s_ssl_bio))
1363
{
1364
fprintf(stderr,"ERROR in SERVER\n");
1365
goto err;
1366
}
1367
/* blah, blah */
1368
}
1369
else if (r == 0)
1370
{
1371
fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1372
goto err;
1373
}
1374
else
1375
{
1376
if (debug)
1377
printf("server read %d\n", r);
1378
sr_num -= r;
1379
}
1380
}
1381
1382
*s_time += (clock() - s_clock);
1383
}
1384
1385
{
1386
/* "I/O" BETWEEN CLIENT AND SERVER. */
1387
1388
size_t r1, r2;
1389
BIO *io1 = server_io, *io2 = client_io;
1390
/* we use the non-copying interface for io1
1391
* and the standard BIO_write/BIO_read interface for io2
1392
*/
1393
1394
static int prev_progress = 1;
1395
int progress = 0;
1396
1397
/* io1 to io2 */
1398
do
1399
{
1400
size_t num;
1401
int r;
1402
1403
r1 = BIO_ctrl_pending(io1);
1404
r2 = BIO_ctrl_get_write_guarantee(io2);
1405
1406
num = r1;
1407
if (r2 < num)
1408
num = r2;
1409
if (num)
1410
{
1411
char *dataptr;
1412
1413
if (INT_MAX < num) /* yeah, right */
1414
num = INT_MAX;
1415
1416
r = BIO_nread(io1, &dataptr, (int)num);
1417
assert(r > 0);
1418
assert(r <= (int)num);
1419
/* possibly r < num (non-contiguous data) */
1420
num = r;
1421
r = BIO_write(io2, dataptr, (int)num);
1422
if (r != (int)num) /* can't happen */
1423
{
1424
fprintf(stderr, "ERROR: BIO_write could not write "
1425
"BIO_ctrl_get_write_guarantee() bytes");
1426
goto err;
1427
}
1428
progress = 1;
1429
1430
if (debug)
1431
printf((io1 == client_io) ?
1432
"C->S relaying: %d bytes\n" :
1433
"S->C relaying: %d bytes\n",
1434
(int)num);
1435
}
1436
}
1437
while (r1 && r2);
1438
1439
/* io2 to io1 */
1440
{
1441
size_t num;
1442
int r;
1443
1444
r1 = BIO_ctrl_pending(io2);
1445
r2 = BIO_ctrl_get_read_request(io1);
1446
/* here we could use ..._get_write_guarantee instead of
1447
* ..._get_read_request, but by using the latter
1448
* we test restartability of the SSL implementation
1449
* more thoroughly */
1450
num = r1;
1451
if (r2 < num)
1452
num = r2;
1453
if (num)
1454
{
1455
char *dataptr;
1456
1457
if (INT_MAX < num)
1458
num = INT_MAX;
1459
1460
if (num > 1)
1461
--num; /* test restartability even more thoroughly */
1462
1463
r = BIO_nwrite0(io1, &dataptr);
1464
assert(r > 0);
1465
if (r < (int)num)
1466
num = r;
1467
r = BIO_read(io2, dataptr, (int)num);
1468
if (r != (int)num) /* can't happen */
1469
{
1470
fprintf(stderr, "ERROR: BIO_read could not read "
1471
"BIO_ctrl_pending() bytes");
1472
goto err;
1473
}
1474
progress = 1;
1475
r = BIO_nwrite(io1, &dataptr, (int)num);
1476
if (r != (int)num) /* can't happen */
1477
{
1478
fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1479
"BIO_nwrite0() bytes");
1480
goto err;
1481
}
1482
1483
if (debug)
1484
printf((io2 == client_io) ?
1485
"C->S relaying: %d bytes\n" :
1486
"S->C relaying: %d bytes\n",
1487
(int)num);
1488
}
1489
} /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1490
1491
if (!progress && !prev_progress)
1492
if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1493
{
1494
fprintf(stderr, "ERROR: got stuck\n");
1495
if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1496
{
1497
fprintf(stderr, "This can happen for SSL2 because "
1498
"CLIENT-FINISHED and SERVER-VERIFY are written \n"
1499
"concurrently ...");
1500
if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1501
&& strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1502
{
1503
fprintf(stderr, " ok.\n");
1504
goto end;
1505
}
1506
}
1507
fprintf(stderr, " ERROR.\n");
1508
goto err;
1509
}
1510
prev_progress = progress;
1511
}
1512
}
1513
while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1514
1515
if (verbose)
1516
print_details(c_ssl, "DONE via BIO pair: ");
1517
end:
1518
ret = 0;
1519
1520
err:
1521
ERR_print_errors(bio_err);
1522
1523
if (server)
1524
BIO_free(server);
1525
if (server_io)
1526
BIO_free(server_io);
1527
if (client)
1528
BIO_free(client);
1529
if (client_io)
1530
BIO_free(client_io);
1531
if (s_ssl_bio)
1532
BIO_free(s_ssl_bio);
1533
if (c_ssl_bio)
1534
BIO_free(c_ssl_bio);
1535
1536
return ret;
1537
}
1538
1539
1540
#define W_READ 1
1541
#define W_WRITE 2
1542
#define C_DONE 1
1543
#define S_DONE 2
1544
1545
int doit(SSL *s_ssl, SSL *c_ssl, long count)
1546
{
1547
MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1548
long cw_num=count,cr_num=count;
1549
long sw_num=count,sr_num=count;
1550
int ret=1;
1551
BIO *c_to_s=NULL;
1552
BIO *s_to_c=NULL;
1553
BIO *c_bio=NULL;
1554
BIO *s_bio=NULL;
1555
int c_r,c_w,s_r,s_w;
1556
int i,j;
1557
int done=0;
1558
int c_write,s_write;
1559
int do_server=0,do_client=0;
1560
1561
memset(cbuf,0,sizeof(cbuf));
1562
memset(sbuf,0,sizeof(sbuf));
1563
1564
c_to_s=BIO_new(BIO_s_mem());
1565
s_to_c=BIO_new(BIO_s_mem());
1566
if ((s_to_c == NULL) || (c_to_s == NULL))
1567
{
1568
ERR_print_errors(bio_err);
1569
goto err;
1570
}
1571
1572
c_bio=BIO_new(BIO_f_ssl());
1573
s_bio=BIO_new(BIO_f_ssl());
1574
if ((c_bio == NULL) || (s_bio == NULL))
1575
{
1576
ERR_print_errors(bio_err);
1577
goto err;
1578
}
1579
1580
SSL_set_connect_state(c_ssl);
1581
SSL_set_bio(c_ssl,s_to_c,c_to_s);
1582
BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1583
1584
SSL_set_accept_state(s_ssl);
1585
SSL_set_bio(s_ssl,c_to_s,s_to_c);
1586
BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1587
1588
c_r=0; s_r=1;
1589
c_w=1; s_w=0;
1590
c_write=1,s_write=0;
1591
1592
/* We can always do writes */
1593
for (;;)
1594
{
1595
do_server=0;
1596
do_client=0;
1597
1598
i=(int)BIO_pending(s_bio);
1599
if ((i && s_r) || s_w) do_server=1;
1600
1601
i=(int)BIO_pending(c_bio);
1602
if ((i && c_r) || c_w) do_client=1;
1603
1604
if (do_server && debug)
1605
{
1606
if (SSL_in_init(s_ssl))
1607
printf("server waiting in SSL_accept - %s\n",
1608
SSL_state_string_long(s_ssl));
1609
/* else if (s_write)
1610
printf("server:SSL_write()\n");
1611
else
1612
printf("server:SSL_read()\n"); */
1613
}
1614
1615
if (do_client && debug)
1616
{
1617
if (SSL_in_init(c_ssl))
1618
printf("client waiting in SSL_connect - %s\n",
1619
SSL_state_string_long(c_ssl));
1620
/* else if (c_write)
1621
printf("client:SSL_write()\n");
1622
else
1623
printf("client:SSL_read()\n"); */
1624
}
1625
1626
if (!do_client && !do_server)
1627
{
1628
fprintf(stdout,"ERROR IN STARTUP\n");
1629
ERR_print_errors(bio_err);
1630
break;
1631
}
1632
if (do_client && !(done & C_DONE))
1633
{
1634
if (c_write)
1635
{
1636
j = (cw_num > (long)sizeof(cbuf)) ?
1637
(int)sizeof(cbuf) : (int)cw_num;
1638
i=BIO_write(c_bio,cbuf,j);
1639
if (i < 0)
1640
{
1641
c_r=0;
1642
c_w=0;
1643
if (BIO_should_retry(c_bio))
1644
{
1645
if (BIO_should_read(c_bio))
1646
c_r=1;
1647
if (BIO_should_write(c_bio))
1648
c_w=1;
1649
}
1650
else
1651
{
1652
fprintf(stderr,"ERROR in CLIENT\n");
1653
ERR_print_errors(bio_err);
1654
goto err;
1655
}
1656
}
1657
else if (i == 0)
1658
{
1659
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1660
goto err;
1661
}
1662
else
1663
{
1664
if (debug)
1665
printf("client wrote %d\n",i);
1666
/* ok */
1667
s_r=1;
1668
c_write=0;
1669
cw_num-=i;
1670
}
1671
}
1672
else
1673
{
1674
i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1675
if (i < 0)
1676
{
1677
c_r=0;
1678
c_w=0;
1679
if (BIO_should_retry(c_bio))
1680
{
1681
if (BIO_should_read(c_bio))
1682
c_r=1;
1683
if (BIO_should_write(c_bio))
1684
c_w=1;
1685
}
1686
else
1687
{
1688
fprintf(stderr,"ERROR in CLIENT\n");
1689
ERR_print_errors(bio_err);
1690
goto err;
1691
}
1692
}
1693
else if (i == 0)
1694
{
1695
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1696
goto err;
1697
}
1698
else
1699
{
1700
if (debug)
1701
printf("client read %d\n",i);
1702
cr_num-=i;
1703
if (sw_num > 0)
1704
{
1705
s_write=1;
1706
s_w=1;
1707
}
1708
if (cr_num <= 0)
1709
{
1710
s_write=1;
1711
s_w=1;
1712
done=S_DONE|C_DONE;
1713
}
1714
}
1715
}
1716
}
1717
1718
if (do_server && !(done & S_DONE))
1719
{
1720
if (!s_write)
1721
{
1722
i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1723
if (i < 0)
1724
{
1725
s_r=0;
1726
s_w=0;
1727
if (BIO_should_retry(s_bio))
1728
{
1729
if (BIO_should_read(s_bio))
1730
s_r=1;
1731
if (BIO_should_write(s_bio))
1732
s_w=1;
1733
}
1734
else
1735
{
1736
fprintf(stderr,"ERROR in SERVER\n");
1737
ERR_print_errors(bio_err);
1738
goto err;
1739
}
1740
}
1741
else if (i == 0)
1742
{
1743
ERR_print_errors(bio_err);
1744
fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1745
goto err;
1746
}
1747
else
1748
{
1749
if (debug)
1750
printf("server read %d\n",i);
1751
sr_num-=i;
1752
if (cw_num > 0)
1753
{
1754
c_write=1;
1755
c_w=1;
1756
}
1757
if (sr_num <= 0)
1758
{
1759
s_write=1;
1760
s_w=1;
1761
c_write=0;
1762
}
1763
}
1764
}
1765
else
1766
{
1767
j = (sw_num > (long)sizeof(sbuf)) ?
1768
(int)sizeof(sbuf) : (int)sw_num;
1769
i=BIO_write(s_bio,sbuf,j);
1770
if (i < 0)
1771
{
1772
s_r=0;
1773
s_w=0;
1774
if (BIO_should_retry(s_bio))
1775
{
1776
if (BIO_should_read(s_bio))
1777
s_r=1;
1778
if (BIO_should_write(s_bio))
1779
s_w=1;
1780
}
1781
else
1782
{
1783
fprintf(stderr,"ERROR in SERVER\n");
1784
ERR_print_errors(bio_err);
1785
goto err;
1786
}
1787
}
1788
else if (i == 0)
1789
{
1790
ERR_print_errors(bio_err);
1791
fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1792
goto err;
1793
}
1794
else
1795
{
1796
if (debug)
1797
printf("server wrote %d\n",i);
1798
sw_num-=i;
1799
s_write=0;
1800
c_r=1;
1801
if (sw_num <= 0)
1802
done|=S_DONE;
1803
}
1804
}
1805
}
1806
1807
if ((done & S_DONE) && (done & C_DONE)) break;
1808
}
1809
1810
if (verbose)
1811
print_details(c_ssl, "DONE: ");
1812
ret=0;
1813
err:
1814
/* We have to set the BIO's to NULL otherwise they will be
1815
* OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1816
* again when c_ssl is SSL_free()ed.
1817
* This is a hack required because s_ssl and c_ssl are sharing the same
1818
* BIO structure and SSL_set_bio() and SSL_free() automatically
1819
* BIO_free non NULL entries.
1820
* You should not normally do this or be required to do this */
1821
if (s_ssl != NULL)
1822
{
1823
s_ssl->rbio=NULL;
1824
s_ssl->wbio=NULL;
1825
}
1826
if (c_ssl != NULL)
1827
{
1828
c_ssl->rbio=NULL;
1829
c_ssl->wbio=NULL;
1830
}
1831
1832
if (c_to_s != NULL) BIO_free(c_to_s);
1833
if (s_to_c != NULL) BIO_free(s_to_c);
1834
if (c_bio != NULL) BIO_free_all(c_bio);
1835
if (s_bio != NULL) BIO_free_all(s_bio);
1836
return(ret);
1837
}
1838
1839
static int get_proxy_auth_ex_data_idx(void)
1840
{
1841
static volatile int idx = -1;
1842
if (idx < 0)
1843
{
1844
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1845
if (idx < 0)
1846
{
1847
idx = X509_STORE_CTX_get_ex_new_index(0,
1848
"SSLtest for verify callback", NULL,NULL,NULL);
1849
}
1850
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1851
}
1852
return idx;
1853
}
1854
1855
static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1856
{
1857
char *s,buf[256];
1858
1859
s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1860
sizeof buf);
1861
if (s != NULL)
1862
{
1863
if (ok)
1864
fprintf(stderr,"depth=%d %s\n",
1865
ctx->error_depth,buf);
1866
else
1867
{
1868
fprintf(stderr,"depth=%d error=%d %s\n",
1869
ctx->error_depth,ctx->error,buf);
1870
}
1871
}
1872
1873
if (ok == 0)
1874
{
1875
fprintf(stderr,"Error string: %s\n",
1876
X509_verify_cert_error_string(ctx->error));
1877
switch (ctx->error)
1878
{
1879
case X509_V_ERR_CERT_NOT_YET_VALID:
1880
case X509_V_ERR_CERT_HAS_EXPIRED:
1881
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1882
fprintf(stderr," ... ignored.\n");
1883
ok=1;
1884
}
1885
}
1886
1887
if (ok == 1)
1888
{
1889
X509 *xs = ctx->current_cert;
1890
#if 0
1891
X509 *xi = ctx->current_issuer;
1892
#endif
1893
1894
if (xs->ex_flags & EXFLAG_PROXY)
1895
{
1896
unsigned int *letters =
1897
X509_STORE_CTX_get_ex_data(ctx,
1898
get_proxy_auth_ex_data_idx());
1899
1900
if (letters)
1901
{
1902
int found_any = 0;
1903
int i;
1904
PROXY_CERT_INFO_EXTENSION *pci =
1905
X509_get_ext_d2i(xs, NID_proxyCertInfo,
1906
NULL, NULL);
1907
1908
switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1909
{
1910
case NID_Independent:
1911
/* Completely meaningless in this
1912
program, as there's no way to
1913
grant explicit rights to a
1914
specific PrC. Basically, using
1915
id-ppl-Independent is the perfect
1916
way to grant no rights at all. */
1917
fprintf(stderr, " Independent proxy certificate");
1918
for (i = 0; i < 26; i++)
1919
letters[i] = 0;
1920
break;
1921
case NID_id_ppl_inheritAll:
1922
/* This is basically a NOP, we
1923
simply let the current rights
1924
stand as they are. */
1925
fprintf(stderr, " Proxy certificate inherits all");
1926
break;
1927
default:
1928
s = (char *)
1929
pci->proxyPolicy->policy->data;
1930
i = pci->proxyPolicy->policy->length;
1931
1932
/* The algorithm works as follows:
1933
it is assumed that previous
1934
iterations or the initial granted
1935
rights has already set some elements
1936
of `letters'. What we need to do is
1937
to clear those that weren't granted
1938
by the current PrC as well. The
1939
easiest way to do this is to add 1
1940
to all the elements whose letters
1941
are given with the current policy.
1942
That way, all elements that are set
1943
by the current policy and were
1944
already set by earlier policies and
1945
through the original grant of rights
1946
will get the value 2 or higher.
1947
The last thing to do is to sweep
1948
through `letters' and keep the
1949
elements having the value 2 as set,
1950
and clear all the others. */
1951
1952
fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1953
while(i-- > 0)
1954
{
1955
int c = *s++;
1956
if (isascii(c) && isalpha(c))
1957
{
1958
if (islower(c))
1959
c = toupper(c);
1960
letters[c - 'A']++;
1961
}
1962
}
1963
for (i = 0; i < 26; i++)
1964
if (letters[i] < 2)
1965
letters[i] = 0;
1966
else
1967
letters[i] = 1;
1968
}
1969
1970
found_any = 0;
1971
fprintf(stderr,
1972
", resulting proxy rights = ");
1973
for(i = 0; i < 26; i++)
1974
if (letters[i])
1975
{
1976
fprintf(stderr, "%c", i + 'A');
1977
found_any = 1;
1978
}
1979
if (!found_any)
1980
fprintf(stderr, "none");
1981
fprintf(stderr, "\n");
1982
1983
PROXY_CERT_INFO_EXTENSION_free(pci);
1984
}
1985
}
1986
}
1987
1988
return(ok);
1989
}
1990
1991
static void process_proxy_debug(int indent, const char *format, ...)
1992
{
1993
static const char indentation[] =
1994
">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1995
">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1996
char my_format[256];
1997
va_list args;
1998
1999
BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2000
indent, indent, indentation, format);
2001
2002
va_start(args, format);
2003
vfprintf(stderr, my_format, args);
2004
va_end(args);
2005
}
2006
/* Priority levels:
2007
0 [!]var, ()
2008
1 & ^
2009
2 |
2010
*/
2011
static int process_proxy_cond_adders(unsigned int letters[26],
2012
const char *cond, const char **cond_end, int *pos, int indent);
2013
static int process_proxy_cond_val(unsigned int letters[26],
2014
const char *cond, const char **cond_end, int *pos, int indent)
2015
{
2016
int c;
2017
int ok = 1;
2018
int negate = 0;
2019
2020
while(isspace((int)*cond))
2021
{
2022
cond++; (*pos)++;
2023
}
2024
c = *cond;
2025
2026
if (debug)
2027
process_proxy_debug(indent,
2028
"Start process_proxy_cond_val at position %d: %s\n",
2029
*pos, cond);
2030
2031
while(c == '!')
2032
{
2033
negate = !negate;
2034
cond++; (*pos)++;
2035
while(isspace((int)*cond))
2036
{
2037
cond++; (*pos)++;
2038
}
2039
c = *cond;
2040
}
2041
2042
if (c == '(')
2043
{
2044
cond++; (*pos)++;
2045
ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2046
indent + 1);
2047
cond = *cond_end;
2048
if (ok < 0)
2049
goto end;
2050
while(isspace((int)*cond))
2051
{
2052
cond++; (*pos)++;
2053
}
2054
c = *cond;
2055
if (c != ')')
2056
{
2057
fprintf(stderr,
2058
"Weird condition character in position %d: "
2059
"%c\n", *pos, c);
2060
ok = -1;
2061
goto end;
2062
}
2063
cond++; (*pos)++;
2064
}
2065
else if (isascii(c) && isalpha(c))
2066
{
2067
if (islower(c))
2068
c = toupper(c);
2069
ok = letters[c - 'A'];
2070
cond++; (*pos)++;
2071
}
2072
else
2073
{
2074
fprintf(stderr,
2075
"Weird condition character in position %d: "
2076
"%c\n", *pos, c);
2077
ok = -1;
2078
goto end;
2079
}
2080
end:
2081
*cond_end = cond;
2082
if (ok >= 0 && negate)
2083
ok = !ok;
2084
2085
if (debug)
2086
process_proxy_debug(indent,
2087
"End process_proxy_cond_val at position %d: %s, returning %d\n",
2088
*pos, cond, ok);
2089
2090
return ok;
2091
}
2092
static int process_proxy_cond_multipliers(unsigned int letters[26],
2093
const char *cond, const char **cond_end, int *pos, int indent)
2094
{
2095
int ok;
2096
char c;
2097
2098
if (debug)
2099
process_proxy_debug(indent,
2100
"Start process_proxy_cond_multipliers at position %d: %s\n",
2101
*pos, cond);
2102
2103
ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2104
cond = *cond_end;
2105
if (ok < 0)
2106
goto end;
2107
2108
while(ok >= 0)
2109
{
2110
while(isspace((int)*cond))
2111
{
2112
cond++; (*pos)++;
2113
}
2114
c = *cond;
2115
2116
switch(c)
2117
{
2118
case '&':
2119
case '^':
2120
{
2121
int save_ok = ok;
2122
2123
cond++; (*pos)++;
2124
ok = process_proxy_cond_val(letters,
2125
cond, cond_end, pos, indent + 1);
2126
cond = *cond_end;
2127
if (ok < 0)
2128
break;
2129
2130
switch(c)
2131
{
2132
case '&':
2133
ok &= save_ok;
2134
break;
2135
case '^':
2136
ok ^= save_ok;
2137
break;
2138
default:
2139
fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2140
" STOPPING\n");
2141
EXIT(1);
2142
}
2143
}
2144
break;
2145
default:
2146
goto end;
2147
}
2148
}
2149
end:
2150
if (debug)
2151
process_proxy_debug(indent,
2152
"End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2153
*pos, cond, ok);
2154
2155
*cond_end = cond;
2156
return ok;
2157
}
2158
static int process_proxy_cond_adders(unsigned int letters[26],
2159
const char *cond, const char **cond_end, int *pos, int indent)
2160
{
2161
int ok;
2162
char c;
2163
2164
if (debug)
2165
process_proxy_debug(indent,
2166
"Start process_proxy_cond_adders at position %d: %s\n",
2167
*pos, cond);
2168
2169
ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2170
indent + 1);
2171
cond = *cond_end;
2172
if (ok < 0)
2173
goto end;
2174
2175
while(ok >= 0)
2176
{
2177
while(isspace((int)*cond))
2178
{
2179
cond++; (*pos)++;
2180
}
2181
c = *cond;
2182
2183
switch(c)
2184
{
2185
case '|':
2186
{
2187
int save_ok = ok;
2188
2189
cond++; (*pos)++;
2190
ok = process_proxy_cond_multipliers(letters,
2191
cond, cond_end, pos, indent + 1);
2192
cond = *cond_end;
2193
if (ok < 0)
2194
break;
2195
2196
switch(c)
2197
{
2198
case '|':
2199
ok |= save_ok;
2200
break;
2201
default:
2202
fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2203
" STOPPING\n");
2204
EXIT(1);
2205
}
2206
}
2207
break;
2208
default:
2209
goto end;
2210
}
2211
}
2212
end:
2213
if (debug)
2214
process_proxy_debug(indent,
2215
"End process_proxy_cond_adders at position %d: %s, returning %d\n",
2216
*pos, cond, ok);
2217
2218
*cond_end = cond;
2219
return ok;
2220
}
2221
2222
static int process_proxy_cond(unsigned int letters[26],
2223
const char *cond, const char **cond_end)
2224
{
2225
int pos = 1;
2226
return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2227
}
2228
2229
static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2230
{
2231
int ok=1;
2232
struct app_verify_arg *cb_arg = arg;
2233
unsigned int letters[26]; /* only used with proxy_auth */
2234
2235
if (cb_arg->app_verify)
2236
{
2237
char *s = NULL,buf[256];
2238
2239
fprintf(stderr, "In app_verify_callback, allowing cert. ");
2240
fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2241
fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2242
(void *)ctx, (void *)ctx->cert);
2243
if (ctx->cert)
2244
s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2245
if (s != NULL)
2246
{
2247
fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2248
}
2249
return(1);
2250
}
2251
if (cb_arg->proxy_auth)
2252
{
2253
int found_any = 0, i;
2254
char *sp;
2255
2256
for(i = 0; i < 26; i++)
2257
letters[i] = 0;
2258
for(sp = cb_arg->proxy_auth; *sp; sp++)
2259
{
2260
int c = *sp;
2261
if (isascii(c) && isalpha(c))
2262
{
2263
if (islower(c))
2264
c = toupper(c);
2265
letters[c - 'A'] = 1;
2266
}
2267
}
2268
2269
fprintf(stderr,
2270
" Initial proxy rights = ");
2271
for(i = 0; i < 26; i++)
2272
if (letters[i])
2273
{
2274
fprintf(stderr, "%c", i + 'A');
2275
found_any = 1;
2276
}
2277
if (!found_any)
2278
fprintf(stderr, "none");
2279
fprintf(stderr, "\n");
2280
2281
X509_STORE_CTX_set_ex_data(ctx,
2282
get_proxy_auth_ex_data_idx(),letters);
2283
}
2284
if (cb_arg->allow_proxy_certs)
2285
{
2286
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2287
}
2288
2289
#ifndef OPENSSL_NO_X509_VERIFY
2290
ok = X509_verify_cert(ctx);
2291
#endif
2292
2293
if (cb_arg->proxy_auth)
2294
{
2295
if (ok > 0)
2296
{
2297
const char *cond_end = NULL;
2298
2299
ok = process_proxy_cond(letters,
2300
cb_arg->proxy_cond, &cond_end);
2301
2302
if (ok < 0)
2303
EXIT(3);
2304
if (*cond_end)
2305
{
2306
fprintf(stderr, "Stopped processing condition before it's end.\n");
2307
ok = 0;
2308
}
2309
if (!ok)
2310
fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2311
cb_arg->proxy_cond);
2312
else
2313
fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2314
cb_arg->proxy_cond);
2315
}
2316
}
2317
return(ok);
2318
}
2319
2320
#ifndef OPENSSL_NO_RSA
2321
static RSA *rsa_tmp=NULL;
2322
2323
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2324
{
2325
BIGNUM *bn = NULL;
2326
if (rsa_tmp == NULL)
2327
{
2328
bn = BN_new();
2329
rsa_tmp = RSA_new();
2330
if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2331
{
2332
BIO_printf(bio_err, "Memory error...");
2333
goto end;
2334
}
2335
BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2336
(void)BIO_flush(bio_err);
2337
if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2338
{
2339
BIO_printf(bio_err, "Error generating key.");
2340
RSA_free(rsa_tmp);
2341
rsa_tmp = NULL;
2342
}
2343
end:
2344
BIO_printf(bio_err,"\n");
2345
(void)BIO_flush(bio_err);
2346
}
2347
if(bn) BN_free(bn);
2348
return(rsa_tmp);
2349
}
2350
2351
static void free_tmp_rsa(void)
2352
{
2353
if (rsa_tmp != NULL)
2354
{
2355
RSA_free(rsa_tmp);
2356
rsa_tmp = NULL;
2357
}
2358
}
2359
#endif
2360
2361
#ifndef OPENSSL_NO_DH
2362
/* These DH parameters have been generated as follows:
2363
* $ openssl dhparam -C -noout 512
2364
* $ openssl dhparam -C -noout 1024
2365
* $ openssl dhparam -C -noout -dsaparam 1024
2366
* (The third function has been renamed to avoid name conflicts.)
2367
*/
2368
static DH *get_dh512()
2369
{
2370
static unsigned char dh512_p[]={
2371
0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2372
0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2373
0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2374
0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2375
0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2376
0x02,0xC5,0xAE,0x23,
2377
};
2378
static unsigned char dh512_g[]={
2379
0x02,
2380
};
2381
DH *dh;
2382
2383
if ((dh=DH_new()) == NULL) return(NULL);
2384
dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2385
dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2386
if ((dh->p == NULL) || (dh->g == NULL))
2387
{ DH_free(dh); return(NULL); }
2388
return(dh);
2389
}
2390
2391
static DH *get_dh1024()
2392
{
2393
static unsigned char dh1024_p[]={
2394
0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2395
0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2396
0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2397
0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2398
0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2399
0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2400
0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2401
0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2402
0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2403
0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2404
0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2405
};
2406
static unsigned char dh1024_g[]={
2407
0x02,
2408
};
2409
DH *dh;
2410
2411
if ((dh=DH_new()) == NULL) return(NULL);
2412
dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2413
dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2414
if ((dh->p == NULL) || (dh->g == NULL))
2415
{ DH_free(dh); return(NULL); }
2416
return(dh);
2417
}
2418
2419
static DH *get_dh1024dsa()
2420
{
2421
static unsigned char dh1024_p[]={
2422
0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2423
0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2424
0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2425
0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2426
0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2427
0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2428
0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2429
0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2430
0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2431
0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2432
0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2433
};
2434
static unsigned char dh1024_g[]={
2435
0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2436
0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2437
0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2438
0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2439
0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2440
0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2441
0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2442
0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2443
0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2444
0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2445
0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2446
};
2447
DH *dh;
2448
2449
if ((dh=DH_new()) == NULL) return(NULL);
2450
dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2451
dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2452
if ((dh->p == NULL) || (dh->g == NULL))
2453
{ DH_free(dh); return(NULL); }
2454
dh->length = 160;
2455
return(dh);
2456
}
2457
#endif
2458
2459
#ifndef OPENSSL_NO_PSK
2460
/* convert the PSK key (psk_key) in ascii to binary (psk) */
2461
static int psk_key2bn(const char *pskkey, unsigned char *psk,
2462
unsigned int max_psk_len)
2463
{
2464
int ret;
2465
BIGNUM *bn = NULL;
2466
2467
ret = BN_hex2bn(&bn, pskkey);
2468
if (!ret)
2469
{
2470
BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2471
if (bn)
2472
BN_free(bn);
2473
return 0;
2474
}
2475
if (BN_num_bytes(bn) > (int)max_psk_len)
2476
{
2477
BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2478
max_psk_len, BN_num_bytes(bn));
2479
BN_free(bn);
2480
return 0;
2481
}
2482
ret = BN_bn2bin(bn, psk);
2483
BN_free(bn);
2484
return ret;
2485
}
2486
2487
static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2488
unsigned int max_identity_len, unsigned char *psk,
2489
unsigned int max_psk_len)
2490
{
2491
int ret;
2492
unsigned int psk_len = 0;
2493
2494
ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2495
if (ret < 0)
2496
goto out_err;
2497
if (debug)
2498
fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2499
ret = psk_key2bn(psk_key, psk, max_psk_len);
2500
if (ret < 0)
2501
goto out_err;
2502
psk_len = ret;
2503
out_err:
2504
return psk_len;
2505
}
2506
2507
static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2508
unsigned char *psk, unsigned int max_psk_len)
2509
{
2510
unsigned int psk_len=0;
2511
2512
if (strcmp(identity, "Client_identity") != 0)
2513
{
2514
BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2515
return 0;
2516
}
2517
psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2518
return psk_len;
2519
}
2520
#endif
2521
2522
static int do_test_cipherlist(void)
2523
{
2524
int i = 0;
2525
const SSL_METHOD *meth;
2526
const SSL_CIPHER *ci, *tci = NULL;
2527
2528
#ifndef OPENSSL_NO_SSL2
2529
fprintf(stderr, "testing SSLv2 cipher list order: ");
2530
meth = SSLv2_method();
2531
while ((ci = meth->get_cipher(i++)) != NULL)
2532
{
2533
if (tci != NULL)
2534
if (ci->id >= tci->id)
2535
{
2536
fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2537
return 0;
2538
}
2539
tci = ci;
2540
}
2541
fprintf(stderr, "ok\n");
2542
#endif
2543
#ifndef OPENSSL_NO_SSL3
2544
fprintf(stderr, "testing SSLv3 cipher list order: ");
2545
meth = SSLv3_method();
2546
tci = NULL;
2547
while ((ci = meth->get_cipher(i++)) != NULL)
2548
{
2549
if (tci != NULL)
2550
if (ci->id >= tci->id)
2551
{
2552
fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2553
return 0;
2554
}
2555
tci = ci;
2556
}
2557
fprintf(stderr, "ok\n");
2558
#endif
2559
#ifndef OPENSSL_NO_TLS1
2560
fprintf(stderr, "testing TLSv1 cipher list order: ");
2561
meth = TLSv1_method();
2562
tci = NULL;
2563
while ((ci = meth->get_cipher(i++)) != NULL)
2564
{
2565
if (tci != NULL)
2566
if (ci->id >= tci->id)
2567
{
2568
fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2569
return 0;
2570
}
2571
tci = ci;
2572
}
2573
fprintf(stderr, "ok\n");
2574
#endif
2575
2576
return 1;
2577
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1