032a477f097f2ac259ae038fe587bfa626e4ed5d
[openssl.git] / ssl / ssltest.c
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by 
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116 /* ====================================================================
117  * Copyright 2005 Nokia. All rights reserved.
118  *
119  * The portions of the attached software ("Contribution") is developed by
120  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121  * license.
122  *
123  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125  * support (see RFC 4279) to OpenSSL.
126  *
127  * No patent licenses or other rights except those expressly stated in
128  * the OpenSSL open source license shall be deemed granted or received
129  * expressly, by implication, estoppel, or otherwise.
130  *
131  * No assurances are provided by Nokia that the Contribution does not
132  * infringe the patent or other intellectual property rights of any third
133  * party or that the license provides you with all the necessary rights
134  * to make use of the Contribution.
135  *
136  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140  * OTHERWISE.
141  */
142
143 #define _BSD_SOURCE 1           /* Or gethostname won't be declared properly
144                                    on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500       /* Or isascii won't be declared properly on
159                                    VMS (at least with DECompHP C).  */
160 #endif
161
162 #include <ctype.h>
163
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #include <openssl/bn.h>
185
186 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
187                                      on Compaq platforms (at least with DEC C).
188                                      Do not try to put it earlier, or IPv6 includes
189                                      get screwed...
190                                   */
191
192 #ifdef OPENSSL_SYS_WINDOWS
193 #include <winsock.h>
194 #else
195 #include OPENSSL_UNISTD
196 #endif
197
198 #ifdef OPENSSL_SYS_VMS
199 #  define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
200 #  define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
201 #elif defined(OPENSSL_SYS_WINCE)
202 #  define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
203 #  define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
204 #elif defined(OPENSSL_SYS_NETWARE)
205 #  define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
206 #  define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
207 #else
208 #  define TEST_SERVER_CERT "../apps/server.pem"
209 #  define TEST_CLIENT_CERT "../apps/client.pem"
210 #endif
211
212 /* There is really no standard for this, so let's assign some tentative
213    numbers.  In any case, these numbers are only for this test */
214 #define COMP_RLE        255
215 #define COMP_ZLIB       1
216
217 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
218 #ifndef OPENSSL_NO_RSA
219 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
220 static void free_tmp_rsa(void);
221 #endif
222 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
223 #define APP_CALLBACK_STRING "Test Callback Argument"
224 struct app_verify_arg
225         {
226         char *string;
227         int app_verify;
228         int allow_proxy_certs;
229         char *proxy_auth;
230         char *proxy_cond;
231         };
232
233 #ifndef OPENSSL_NO_DH
234 static DH *get_dh512(void);
235 static DH *get_dh1024(void);
236 static DH *get_dh1024dsa(void);
237 #endif
238
239
240 static char *psk_key=NULL; /* by default PSK is not used */
241 #ifndef OPENSSL_NO_PSK
242 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
243         unsigned int max_identity_len, unsigned char *psk,
244         unsigned int max_psk_len);
245 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
246         unsigned int max_psk_len);
247 #endif
248
249 static BIO *bio_err=NULL;
250 static BIO *bio_stdout=NULL;
251
252 #ifndef OPENSSL_NO_NPN
253 /* Note that this code assumes that this is only a one element list: */
254 static const char NEXT_PROTO_STRING[] = "\x09testproto";
255 int npn_client = 0;
256 int npn_server = 0;
257 int npn_server_reject = 0;
258
259 static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
260         {
261         /* This callback only returns the protocol string, rather than a length
262            prefixed set. We assume that NEXT_PROTO_STRING is a one element list and
263            remove the first byte to chop off the length prefix. */
264         *out = (unsigned char*) NEXT_PROTO_STRING + 1;
265         *outlen = sizeof(NEXT_PROTO_STRING) - 2;
266         return SSL_TLSEXT_ERR_OK;
267         }
268
269 static int cb_server_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
270         {
271         *data = (const unsigned char *) NEXT_PROTO_STRING;
272         *len = sizeof(NEXT_PROTO_STRING) - 1;
273         return SSL_TLSEXT_ERR_OK;
274         }
275
276 static int cb_server_rejects_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
277         {
278         return SSL_TLSEXT_ERR_NOACK;
279         }
280
281 static int verify_npn(SSL *client, SSL *server)
282         {
283         const unsigned char *client_s;
284         unsigned client_len;
285         const unsigned char *server_s;
286         unsigned server_len;
287
288         SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
289         SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
290
291         if (client_len)
292                 {
293                 BIO_printf(bio_stdout, "Client NPN: ");
294                 BIO_write(bio_stdout, client_s, client_len);
295                 BIO_printf(bio_stdout, "\n");
296                 }
297
298         if (server_len)
299                 {
300                 BIO_printf(bio_stdout, "Server NPN: ");
301                 BIO_write(bio_stdout, server_s, server_len);
302                 BIO_printf(bio_stdout, "\n");
303                 }
304
305         /* If an NPN string was returned, it must be the protocol that we
306          * expected to negotiate. */
307         if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
308                            memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
309                 return -1;
310         if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
311                            memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
312                 return -1;
313
314         if (!npn_client && client_len)
315                 return -1;
316         if (!npn_server && server_len)
317                 return -1;
318         if (npn_server_reject && server_len)
319                 return -1;
320         if (npn_client && npn_server && (!client_len || !server_len))
321                 return -1;
322
323         return 0;
324         }
325 #endif
326
327 static char *cipher=NULL;
328 static int verbose=0;
329 static int debug=0;
330 #if 0
331 /* Not used yet. */
332 #ifdef FIONBIO
333 static int s_nbio=0;
334 #endif
335 #endif
336
337 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
338
339 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
340 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
341 static int do_test_cipherlist(void);
342 static void sv_usage(void)
343         {
344         fprintf(stderr,"usage: ssltest [args ...]\n");
345         fprintf(stderr,"\n");
346         fprintf(stderr," -server_auth  - check server certificate\n");
347         fprintf(stderr," -client_auth  - do client authentication\n");
348         fprintf(stderr," -proxy        - allow proxy certificates\n");
349         fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
350         fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
351         fprintf(stderr," -v            - more output\n");
352         fprintf(stderr," -d            - debug output\n");
353         fprintf(stderr," -reuse        - use session-id reuse\n");
354         fprintf(stderr," -num <val>    - number of connections to perform\n");
355         fprintf(stderr," -bytes <val>  - number of bytes to swap between client/server\n");
356 #ifndef OPENSSL_NO_DH
357         fprintf(stderr," -dhe1024      - use 1024 bit key (safe prime) for DHE\n");
358         fprintf(stderr," -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
359         fprintf(stderr," -no_dhe       - disable DHE\n");
360 #endif
361 #ifndef OPENSSL_NO_ECDH
362         fprintf(stderr," -no_ecdhe     - disable ECDHE\n");
363 #endif
364 #ifndef OPENSSL_NO_PSK
365         fprintf(stderr," -psk arg      - PSK in hex (without 0x)\n");
366 #endif
367 #ifndef OPENSSL_NO_SSL2
368         fprintf(stderr," -ssl2         - use SSLv2\n");
369 #endif
370 #ifndef OPENSSL_NO_SSL3
371         fprintf(stderr," -ssl3         - use SSLv3\n");
372 #endif
373 #ifndef OPENSSL_NO_TLS1
374         fprintf(stderr," -tls1         - use TLSv1\n");
375 #endif
376         fprintf(stderr," -CApath arg   - PEM format directory of CA's\n");
377         fprintf(stderr," -CAfile arg   - PEM format file of CA's\n");
378         fprintf(stderr," -cert arg     - Server certificate file\n");
379         fprintf(stderr," -key arg      - Server key file (default: same as -cert)\n");
380         fprintf(stderr," -c_cert arg   - Client certificate file\n");
381         fprintf(stderr," -c_key arg    - Client key file (default: same as -c_cert)\n");
382         fprintf(stderr," -cipher arg   - The cipher list\n");
383         fprintf(stderr," -bio_pair     - Use BIO pairs\n");
384         fprintf(stderr," -f            - Test even cases that can't work\n");
385         fprintf(stderr," -time         - measure processor time used by client and server\n");
386         fprintf(stderr," -zlib         - use zlib compression\n");
387         fprintf(stderr," -rle          - use rle compression\n");
388 #ifndef OPENSSL_NO_ECDH
389         fprintf(stderr," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
390                        "                 Use \"openssl ecparam -list_curves\" for all names\n"  \
391                        "                 (default is sect163r2).\n");
392 #endif
393         fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
394 #ifndef OPENSSL_NO_NPN
395         fprintf(stderr," -npn_client - have client side offer NPN\n");
396         fprintf(stderr," -npn_server - have server side offer NPN\n");
397         fprintf(stderr," -npn_server_reject - have server reject NPN\n");
398 #endif
399         }
400
401 static void print_details(SSL *c_ssl, const char *prefix)
402         {
403         const SSL_CIPHER *ciph;
404         X509 *cert;
405                 
406         ciph=SSL_get_current_cipher(c_ssl);
407         BIO_printf(bio_stdout,"%s%s, cipher %s %s",
408                 prefix,
409                 SSL_get_version(c_ssl),
410                 SSL_CIPHER_get_version(ciph),
411                 SSL_CIPHER_get_name(ciph));
412         cert=SSL_get_peer_certificate(c_ssl);
413         if (cert != NULL)
414                 {
415                 EVP_PKEY *pkey = X509_get_pubkey(cert);
416                 if (pkey != NULL)
417                         {
418                         if (0) 
419                                 ;
420 #ifndef OPENSSL_NO_RSA
421                         else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
422                                 && pkey->pkey.rsa->n != NULL)
423                                 {
424                                 BIO_printf(bio_stdout, ", %d bit RSA",
425                                         BN_num_bits(pkey->pkey.rsa->n));
426                                 }
427 #endif
428 #ifndef OPENSSL_NO_DSA
429                         else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
430                                 && pkey->pkey.dsa->p != NULL)
431                                 {
432                                 BIO_printf(bio_stdout, ", %d bit DSA",
433                                         BN_num_bits(pkey->pkey.dsa->p));
434                                 }
435 #endif
436                         EVP_PKEY_free(pkey);
437                         }
438                 X509_free(cert);
439                 }
440         /* The SSL API does not allow us to look at temporary RSA/DH keys,
441          * otherwise we should print their lengths too */
442         BIO_printf(bio_stdout,"\n");
443         }
444
445 static void lock_dbg_cb(int mode, int type, const char *file, int line)
446         {
447         static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
448         const char *errstr = NULL;
449         int rw;
450         
451         rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
452         if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
453                 {
454                 errstr = "invalid mode";
455                 goto err;
456                 }
457
458         if (type < 0 || type >= CRYPTO_NUM_LOCKS)
459                 {
460                 errstr = "type out of bounds";
461                 goto err;
462                 }
463
464         if (mode & CRYPTO_LOCK)
465                 {
466                 if (modes[type])
467                         {
468                         errstr = "already locked";
469                         /* must not happen in a single-threaded program
470                          * (would deadlock) */
471                         goto err;
472                         }
473
474                 modes[type] = rw;
475                 }
476         else if (mode & CRYPTO_UNLOCK)
477                 {
478                 if (!modes[type])
479                         {
480                         errstr = "not locked";
481                         goto err;
482                         }
483                 
484                 if (modes[type] != rw)
485                         {
486                         errstr = (rw == CRYPTO_READ) ?
487                                 "CRYPTO_r_unlock on write lock" :
488                                 "CRYPTO_w_unlock on read lock";
489                         }
490
491                 modes[type] = 0;
492                 }
493         else
494                 {
495                 errstr = "invalid mode";
496                 goto err;
497                 }
498
499  err:
500         if (errstr)
501                 {
502                 /* we cannot use bio_err here */
503                 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
504                         errstr, mode, type, file, line);
505                 }
506         }
507
508 #ifdef TLSEXT_TYPE_opaque_prf_input
509 struct cb_info_st { void *input; size_t len; int ret; };
510 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
511 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
512 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
513 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
514
515 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
516         {
517         struct cb_info_st *arg = arg_;
518
519         if (arg == NULL)
520                 return 1;
521         
522         if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
523                 return 0;
524         return arg->ret;
525         }
526 #endif
527
528 int main(int argc, char *argv[])
529         {
530         char *CApath=NULL,*CAfile=NULL;
531         int badop=0;
532         int bio_pair=0;
533         int force=0;
534         int tls1=0,ssl2=0,ssl3=0,ret=1;
535         int client_auth=0;
536         int server_auth=0,i;
537         struct app_verify_arg app_verify_arg =
538                 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
539         char *server_cert=TEST_SERVER_CERT;
540         char *server_key=NULL;
541         char *client_cert=TEST_CLIENT_CERT;
542         char *client_key=NULL;
543 #ifndef OPENSSL_NO_ECDH
544         char *named_curve = NULL;
545 #endif
546         SSL_CTX *s_ctx=NULL;
547         SSL_CTX *c_ctx=NULL;
548         const SSL_METHOD *meth=NULL;
549         SSL *c_ssl,*s_ssl;
550         int number=1,reuse=0;
551         long bytes=256L;
552 #ifndef OPENSSL_NO_DH
553         DH *dh;
554         int dhe1024 = 0, dhe1024dsa = 0;
555 #endif
556 #ifndef OPENSSL_NO_ECDH
557         EC_KEY *ecdh = NULL;
558 #endif
559         int no_dhe = 0;
560         int no_ecdhe = 0;
561         int no_psk = 0;
562         int print_time = 0;
563         clock_t s_time = 0, c_time = 0;
564         int comp = 0;
565 #ifndef OPENSSL_NO_COMP
566         COMP_METHOD *cm = NULL;
567         STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
568 #endif
569         int test_cipherlist = 0;
570
571         verbose = 0;
572         debug = 0;
573         cipher = 0;
574
575         bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);     
576
577         CRYPTO_set_locking_callback(lock_dbg_cb);
578
579         /* enable memory leak checking unless explicitly disabled */
580         if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
581                 {
582                 CRYPTO_malloc_debug_init();
583                 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
584                 }
585         else
586                 {
587                 /* OPENSSL_DEBUG_MEMORY=off */
588                 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
589                 }
590         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
591
592         RAND_seed(rnd_seed, sizeof rnd_seed);
593
594         bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
595
596         argc--;
597         argv++;
598
599         while (argc >= 1)
600                 {
601                 if      (strcmp(*argv,"-server_auth") == 0)
602                         server_auth=1;
603                 else if (strcmp(*argv,"-client_auth") == 0)
604                         client_auth=1;
605                 else if (strcmp(*argv,"-proxy_auth") == 0)
606                         {
607                         if (--argc < 1) goto bad;
608                         app_verify_arg.proxy_auth= *(++argv);
609                         }
610                 else if (strcmp(*argv,"-proxy_cond") == 0)
611                         {
612                         if (--argc < 1) goto bad;
613                         app_verify_arg.proxy_cond= *(++argv);
614                         }
615                 else if (strcmp(*argv,"-v") == 0)
616                         verbose=1;
617                 else if (strcmp(*argv,"-d") == 0)
618                         debug=1;
619                 else if (strcmp(*argv,"-reuse") == 0)
620                         reuse=1;
621                 else if (strcmp(*argv,"-dhe1024") == 0)
622                         {
623 #ifndef OPENSSL_NO_DH
624                         dhe1024=1;
625 #else
626                         fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
627 #endif
628                         }
629                 else if (strcmp(*argv,"-dhe1024dsa") == 0)
630                         {
631 #ifndef OPENSSL_NO_DH
632                         dhe1024dsa=1;
633 #else
634                         fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
635 #endif
636                         }
637                 else if (strcmp(*argv,"-no_dhe") == 0)
638                         no_dhe=1;
639                 else if (strcmp(*argv,"-no_ecdhe") == 0)
640                         no_ecdhe=1;
641                 else if (strcmp(*argv,"-psk") == 0)
642                         {
643                         if (--argc < 1) goto bad;
644                         psk_key=*(++argv);
645 #ifndef OPENSSL_NO_PSK
646                         if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
647                                 {
648                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
649                                 goto bad;
650                                 }
651 #else
652                         no_psk=1;
653 #endif
654                         }
655                 else if (strcmp(*argv,"-ssl2") == 0)
656                         ssl2=1;
657                 else if (strcmp(*argv,"-tls1") == 0)
658                         tls1=1;
659                 else if (strcmp(*argv,"-ssl3") == 0)
660                         ssl3=1;
661                 else if (strncmp(*argv,"-num",4) == 0)
662                         {
663                         if (--argc < 1) goto bad;
664                         number= atoi(*(++argv));
665                         if (number == 0) number=1;
666                         }
667                 else if (strcmp(*argv,"-bytes") == 0)
668                         {
669                         if (--argc < 1) goto bad;
670                         bytes= atol(*(++argv));
671                         if (bytes == 0L) bytes=1L;
672                         i=strlen(argv[0]);
673                         if (argv[0][i-1] == 'k') bytes*=1024L;
674                         if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
675                         }
676                 else if (strcmp(*argv,"-cert") == 0)
677                         {
678                         if (--argc < 1) goto bad;
679                         server_cert= *(++argv);
680                         }
681                 else if (strcmp(*argv,"-s_cert") == 0)
682                         {
683                         if (--argc < 1) goto bad;
684                         server_cert= *(++argv);
685                         }
686                 else if (strcmp(*argv,"-key") == 0)
687                         {
688                         if (--argc < 1) goto bad;
689                         server_key= *(++argv);
690                         }
691                 else if (strcmp(*argv,"-s_key") == 0)
692                         {
693                         if (--argc < 1) goto bad;
694                         server_key= *(++argv);
695                         }
696                 else if (strcmp(*argv,"-c_cert") == 0)
697                         {
698                         if (--argc < 1) goto bad;
699                         client_cert= *(++argv);
700                         }
701                 else if (strcmp(*argv,"-c_key") == 0)
702                         {
703                         if (--argc < 1) goto bad;
704                         client_key= *(++argv);
705                         }
706                 else if (strcmp(*argv,"-cipher") == 0)
707                         {
708                         if (--argc < 1) goto bad;
709                         cipher= *(++argv);
710                         }
711                 else if (strcmp(*argv,"-CApath") == 0)
712                         {
713                         if (--argc < 1) goto bad;
714                         CApath= *(++argv);
715                         }
716                 else if (strcmp(*argv,"-CAfile") == 0)
717                         {
718                         if (--argc < 1) goto bad;
719                         CAfile= *(++argv);
720                         }
721                 else if (strcmp(*argv,"-bio_pair") == 0)
722                         {
723                         bio_pair = 1;
724                         }
725                 else if (strcmp(*argv,"-f") == 0)
726                         {
727                         force = 1;
728                         }
729                 else if (strcmp(*argv,"-time") == 0)
730                         {
731                         print_time = 1;
732                         }
733                 else if (strcmp(*argv,"-zlib") == 0)
734                         {
735                         comp = COMP_ZLIB;
736                         }
737                 else if (strcmp(*argv,"-rle") == 0)
738                         {
739                         comp = COMP_RLE;
740                         }
741                 else if (strcmp(*argv,"-named_curve") == 0)
742                         {
743                         if (--argc < 1) goto bad;
744 #ifndef OPENSSL_NO_ECDH         
745                         named_curve = *(++argv);
746 #else
747                         fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
748                         ++argv;
749 #endif
750                         }
751                 else if (strcmp(*argv,"-app_verify") == 0)
752                         {
753                         app_verify_arg.app_verify = 1;
754                         }
755                 else if (strcmp(*argv,"-proxy") == 0)
756                         {
757                         app_verify_arg.allow_proxy_certs = 1;
758                         }
759                 else if (strcmp(*argv,"-test_cipherlist") == 0)
760                         {
761                         test_cipherlist = 1;
762                         }
763 #ifndef OPENSSL_NO_NPN
764                 else if (strcmp(*argv,"-npn_client") == 0)
765                         {
766                         npn_client = 1;
767                         }
768                 else if (strcmp(*argv,"-npn_server") == 0)
769                         {
770                         npn_server = 1;
771                         }
772                 else if (strcmp(*argv,"-npn_server_reject") == 0)
773                         {
774                         npn_server_reject = 1;
775                         }
776 #endif
777                 else
778                         {
779                         fprintf(stderr,"unknown option %s\n",*argv);
780                         badop=1;
781                         break;
782                         }
783                 argc--;
784                 argv++;
785                 }
786         if (badop)
787                 {
788 bad:
789                 sv_usage();
790                 goto end;
791                 }
792
793         if (test_cipherlist == 1)
794                 {
795                 /* ensure that the cipher list are correctly sorted and exit */
796                 if (do_test_cipherlist() == 0)
797                         EXIT(1);
798                 ret = 0;
799                 goto end;
800                 }
801
802         if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
803                 {
804                 fprintf(stderr, "This case cannot work.  Use -f to perform "
805                         "the test anyway (and\n-d to see what happens), "
806                         "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
807                         "to avoid protocol mismatch.\n");
808                 EXIT(1);
809                 }
810
811         if (print_time)
812                 {
813                 if (!bio_pair)
814                         {
815                         fprintf(stderr, "Using BIO pair (-bio_pair)\n");
816                         bio_pair = 1;
817                         }
818                 if (number < 50 && !force)
819                         fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
820                 }
821
822 /*      if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
823
824         SSL_library_init();
825         SSL_load_error_strings();
826
827 #ifndef OPENSSL_NO_COMP
828         if (comp == COMP_ZLIB) cm = COMP_zlib();
829         if (comp == COMP_RLE) cm = COMP_rle();
830         if (cm != NULL)
831                 {
832                 if (cm->type != NID_undef)
833                         {
834                         if (SSL_COMP_add_compression_method(comp, cm) != 0)
835                                 {
836                                 fprintf(stderr,
837                                         "Failed to add compression method\n");
838                                 ERR_print_errors_fp(stderr);
839                                 }
840                         }
841                 else
842                         {
843                         fprintf(stderr,
844                                 "Warning: %s compression not supported\n",
845                                 (comp == COMP_RLE ? "rle" :
846                                         (comp == COMP_ZLIB ? "zlib" :
847                                                 "unknown")));
848                         ERR_print_errors_fp(stderr);
849                         }
850                 }
851         ssl_comp_methods = SSL_COMP_get_compression_methods();
852         fprintf(stderr, "Available compression methods:\n");
853         {
854         int j, n = sk_SSL_COMP_num(ssl_comp_methods);
855         if (n == 0)
856                 fprintf(stderr, "  NONE\n");
857         else
858                 for (j = 0; j < n; j++)
859                         {
860                         SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
861                         fprintf(stderr, "  %d: %s\n", c->id, c->name);
862                         }
863         }
864 #endif
865
866 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
867         if (ssl2)
868                 meth=SSLv2_method();
869         else 
870         if (tls1)
871                 meth=TLSv1_method();
872         else
873         if (ssl3)
874                 meth=SSLv3_method();
875         else
876                 meth=SSLv23_method();
877 #else
878 #ifdef OPENSSL_NO_SSL2
879         meth=SSLv3_method();
880 #else
881         meth=SSLv2_method();
882 #endif
883 #endif
884
885         c_ctx=SSL_CTX_new(meth);
886         s_ctx=SSL_CTX_new(meth);
887         if ((c_ctx == NULL) || (s_ctx == NULL))
888                 {
889                 ERR_print_errors(bio_err);
890                 goto end;
891                 }
892
893         if (cipher != NULL)
894                 {
895                 SSL_CTX_set_cipher_list(c_ctx,cipher);
896                 SSL_CTX_set_cipher_list(s_ctx,cipher);
897                 }
898
899 #ifndef OPENSSL_NO_DH
900         if (!no_dhe)
901                 {
902                 if (dhe1024dsa)
903                         {
904                         /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
905                         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
906                         dh=get_dh1024dsa();
907                         }
908                 else if (dhe1024)
909                         dh=get_dh1024();
910                 else
911                         dh=get_dh512();
912                 SSL_CTX_set_tmp_dh(s_ctx,dh);
913                 DH_free(dh);
914                 }
915 #else
916         (void)no_dhe;
917 #endif
918
919 #ifndef OPENSSL_NO_ECDH
920         if (!no_ecdhe)
921                 {
922                 int nid;
923
924                 if (named_curve != NULL)
925                         {
926                         nid = OBJ_sn2nid(named_curve);
927                         if (nid == 0)
928                         {
929                                 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
930                                 goto end;
931                                 }
932                         }
933                 else
934                         nid = NID_sect163r2;
935
936                 ecdh = EC_KEY_new_by_curve_name(nid);
937                 if (ecdh == NULL)
938                         {
939                         BIO_printf(bio_err, "unable to create curve\n");
940                         goto end;
941                         }
942
943                 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
944                 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
945                 EC_KEY_free(ecdh);
946                 }
947 #else
948         (void)no_ecdhe;
949 #endif
950
951 #ifndef OPENSSL_NO_RSA
952         SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
953 #endif
954
955 #ifdef TLSEXT_TYPE_opaque_prf_input
956         SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
957         SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
958         SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
959         SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
960 #endif
961
962         if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
963                 {
964                 ERR_print_errors(bio_err);
965                 }
966         else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
967                 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
968                 {
969                 ERR_print_errors(bio_err);
970                 goto end;
971                 }
972
973         if (client_auth)
974                 {
975                 SSL_CTX_use_certificate_file(c_ctx,client_cert,
976                         SSL_FILETYPE_PEM);
977                 SSL_CTX_use_PrivateKey_file(c_ctx,
978                         (client_key?client_key:client_cert),
979                         SSL_FILETYPE_PEM);
980                 }
981
982         if (    (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
983                 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
984                 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
985                 (!SSL_CTX_set_default_verify_paths(c_ctx)))
986                 {
987                 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
988                 ERR_print_errors(bio_err);
989                 /* goto end; */
990                 }
991
992         if (client_auth)
993                 {
994                 BIO_printf(bio_err,"client authentication\n");
995                 SSL_CTX_set_verify(s_ctx,
996                         SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
997                         verify_callback);
998                 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
999                 }
1000         if (server_auth)
1001                 {
1002                 BIO_printf(bio_err,"server authentication\n");
1003                 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1004                         verify_callback);
1005                 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1006                 }
1007         
1008         {
1009                 int session_id_context = 0;
1010                 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1011         }
1012
1013         /* Use PSK only if PSK key is given */
1014         if (psk_key != NULL)
1015                 {
1016                 /* no_psk is used to avoid putting psk command to openssl tool */
1017                 if (no_psk)
1018                         {
1019                         /* if PSK is not compiled in and psk key is
1020                          * given, do nothing and exit successfully */
1021                         ret=0;
1022                         goto end;
1023                         }
1024 #ifndef OPENSSL_NO_PSK
1025                 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1026                 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1027                 if (debug)
1028                         BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1029                 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1030                         {
1031                         BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1032                         ERR_print_errors(bio_err);
1033                         goto end;
1034                         }
1035 #endif
1036                 }
1037
1038 #ifndef OPENSSL_NO_NPN
1039         if (npn_client)
1040                 {
1041                 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1042                 }
1043         if (npn_server)
1044                 {
1045                 if (npn_server_reject)
1046                         {
1047                         BIO_printf(bio_err, "Can't have both -npn_server and -npn_server_reject\n");
1048                         goto end;
1049                         }
1050                 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
1051                 }
1052         if (npn_server_reject)
1053                 {
1054                 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1055                 }
1056 #endif
1057
1058         c_ssl=SSL_new(c_ctx);
1059         s_ssl=SSL_new(s_ctx);
1060
1061 #ifndef OPENSSL_NO_KRB5
1062         if (c_ssl  &&  c_ssl->kssl_ctx)
1063                 {
1064                 char    localhost[MAXHOSTNAMELEN+2];
1065
1066                 if (gethostname(localhost, sizeof localhost-1) == 0)
1067                         {
1068                         localhost[sizeof localhost-1]='\0';
1069                         if(strlen(localhost) == sizeof localhost-1)
1070                                 {
1071                                 BIO_printf(bio_err,"localhost name too long\n");
1072                                 goto end;
1073                                 }
1074                         kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1075                                 localhost);
1076                         }
1077                 }
1078 #endif    /* OPENSSL_NO_KRB5  */
1079
1080         for (i=0; i<number; i++)
1081                 {
1082                 if (!reuse) SSL_set_session(c_ssl,NULL);
1083                 if (bio_pair)
1084                         ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1085                 else
1086                         ret=doit(s_ssl,c_ssl,bytes);
1087                 }
1088
1089         if (!verbose)
1090                 {
1091                 print_details(c_ssl, "");
1092                 }
1093         if ((number > 1) || (bytes > 1L))
1094                 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1095         if (print_time)
1096                 {
1097 #ifdef CLOCKS_PER_SEC
1098                 /* "To determine the time in seconds, the value returned
1099                  * by the clock function should be divided by the value
1100                  * of the macro CLOCKS_PER_SEC."
1101                  *                                       -- ISO/IEC 9899 */
1102                 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1103                         "Approximate total client time: %6.2f s\n",
1104                         (double)s_time/CLOCKS_PER_SEC,
1105                         (double)c_time/CLOCKS_PER_SEC);
1106 #else
1107                 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1108                  *                            -- cc on NeXTstep/OpenStep */
1109                 BIO_printf(bio_stdout,
1110                         "Approximate total server time: %6.2f units\n"
1111                         "Approximate total client time: %6.2f units\n",
1112                         (double)s_time,
1113                         (double)c_time);
1114 #endif
1115                 }
1116
1117         SSL_free(s_ssl);
1118         SSL_free(c_ssl);
1119
1120 end:
1121         if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1122         if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1123
1124         if (bio_stdout != NULL) BIO_free(bio_stdout);
1125
1126 #ifndef OPENSSL_NO_RSA
1127         free_tmp_rsa();
1128 #endif
1129 #ifndef OPENSSL_NO_ENGINE
1130         ENGINE_cleanup();
1131 #endif
1132         CRYPTO_cleanup_all_ex_data();
1133         ERR_free_strings();
1134         ERR_remove_thread_state(NULL);
1135         EVP_cleanup();
1136         CRYPTO_mem_leaks(bio_err);
1137         if (bio_err != NULL) BIO_free(bio_err);
1138         EXIT(ret);
1139         return ret;
1140         }
1141
1142 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1143         clock_t *s_time, clock_t *c_time)
1144         {
1145         long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1146         BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1147         BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1148         int ret = 1;
1149         
1150         size_t bufsiz = 256; /* small buffer for testing */
1151
1152         if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1153                 goto err;
1154         if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1155                 goto err;
1156         
1157         s_ssl_bio = BIO_new(BIO_f_ssl());
1158         if (!s_ssl_bio)
1159                 goto err;
1160
1161         c_ssl_bio = BIO_new(BIO_f_ssl());
1162         if (!c_ssl_bio)
1163                 goto err;
1164
1165         SSL_set_connect_state(c_ssl);
1166         SSL_set_bio(c_ssl, client, client);
1167         (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1168
1169         SSL_set_accept_state(s_ssl);
1170         SSL_set_bio(s_ssl, server, server);
1171         (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1172
1173         do
1174                 {
1175                 /* c_ssl_bio:          SSL filter BIO
1176                  *
1177                  * client:             pseudo-I/O for SSL library
1178                  *
1179                  * client_io:          client's SSL communication; usually to be
1180                  *                     relayed over some I/O facility, but in this
1181                  *                     test program, we're the server, too:
1182                  *
1183                  * server_io:          server's SSL communication
1184                  *
1185                  * server:             pseudo-I/O for SSL library
1186                  *
1187                  * s_ssl_bio:          SSL filter BIO
1188                  *
1189                  * The client and the server each employ a "BIO pair":
1190                  * client + client_io, server + server_io.
1191                  * BIO pairs are symmetric.  A BIO pair behaves similar
1192                  * to a non-blocking socketpair (but both endpoints must
1193                  * be handled by the same thread).
1194                  * [Here we could connect client and server to the ends
1195                  * of a single BIO pair, but then this code would be less
1196                  * suitable as an example for BIO pairs in general.]
1197                  *
1198                  * Useful functions for querying the state of BIO pair endpoints:
1199                  *
1200                  * BIO_ctrl_pending(bio)              number of bytes we can read now
1201                  * BIO_ctrl_get_read_request(bio)     number of bytes needed to fulfil
1202                  *                                      other side's read attempt
1203                  * BIO_ctrl_get_write_guarantee(bio)   number of bytes we can write now
1204                  *
1205                  * ..._read_request is never more than ..._write_guarantee;
1206                  * it depends on the application which one you should use.
1207                  */
1208
1209                 /* We have non-blocking behaviour throughout this test program, but
1210                  * can be sure that there is *some* progress in each iteration; so
1211                  * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1212                  * -- we just try everything in each iteration
1213                  */
1214
1215                         {
1216                         /* CLIENT */
1217                 
1218                         MS_STATIC char cbuf[1024*8];
1219                         int i, r;
1220                         clock_t c_clock = clock();
1221
1222                         memset(cbuf, 0, sizeof(cbuf));
1223
1224                         if (debug)
1225                                 if (SSL_in_init(c_ssl))
1226                                         printf("client waiting in SSL_connect - %s\n",
1227                                                 SSL_state_string_long(c_ssl));
1228
1229                         if (cw_num > 0)
1230                                 {
1231                                 /* Write to server. */
1232                                 
1233                                 if (cw_num > (long)sizeof cbuf)
1234                                         i = sizeof cbuf;
1235                                 else
1236                                         i = (int)cw_num;
1237                                 r = BIO_write(c_ssl_bio, cbuf, i);
1238                                 if (r < 0)
1239                                         {
1240                                         if (!BIO_should_retry(c_ssl_bio))
1241                                                 {
1242                                                 fprintf(stderr,"ERROR in CLIENT\n");
1243                                                 goto err;
1244                                                 }
1245                                         /* BIO_should_retry(...) can just be ignored here.
1246                                          * The library expects us to call BIO_write with
1247                                          * the same arguments again, and that's what we will
1248                                          * do in the next iteration. */
1249                                         }
1250                                 else if (r == 0)
1251                                         {
1252                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1253                                         goto err;
1254                                         }
1255                                 else
1256                                         {
1257                                         if (debug)
1258                                                 printf("client wrote %d\n", r);
1259                                         cw_num -= r;                            
1260                                         }
1261                                 }
1262
1263                         if (cr_num > 0)
1264                                 {
1265                                 /* Read from server. */
1266
1267                                 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1268                                 if (r < 0)
1269                                         {
1270                                         if (!BIO_should_retry(c_ssl_bio))
1271                                                 {
1272                                                 fprintf(stderr,"ERROR in CLIENT\n");
1273                                                 goto err;
1274                                                 }
1275                                         /* Again, "BIO_should_retry" can be ignored. */
1276                                         }
1277                                 else if (r == 0)
1278                                         {
1279                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1280                                         goto err;
1281                                         }
1282                                 else
1283                                         {
1284                                         if (debug)
1285                                                 printf("client read %d\n", r);
1286                                         cr_num -= r;
1287                                         }
1288                                 }
1289
1290                         /* c_time and s_time increments will typically be very small
1291                          * (depending on machine speed and clock tick intervals),
1292                          * but sampling over a large number of connections should
1293                          * result in fairly accurate figures.  We cannot guarantee
1294                          * a lot, however -- if each connection lasts for exactly
1295                          * one clock tick, it will be counted only for the client
1296                          * or only for the server or even not at all.
1297                          */
1298                         *c_time += (clock() - c_clock);
1299                         }
1300
1301                         {
1302                         /* SERVER */
1303                 
1304                         MS_STATIC char sbuf[1024*8];
1305                         int i, r;
1306                         clock_t s_clock = clock();
1307
1308                         memset(sbuf, 0, sizeof(sbuf));
1309
1310                         if (debug)
1311                                 if (SSL_in_init(s_ssl))
1312                                         printf("server waiting in SSL_accept - %s\n",
1313                                                 SSL_state_string_long(s_ssl));
1314
1315                         if (sw_num > 0)
1316                                 {
1317                                 /* Write to client. */
1318                                 
1319                                 if (sw_num > (long)sizeof sbuf)
1320                                         i = sizeof sbuf;
1321                                 else
1322                                         i = (int)sw_num;
1323                                 r = BIO_write(s_ssl_bio, sbuf, i);
1324                                 if (r < 0)
1325                                         {
1326                                         if (!BIO_should_retry(s_ssl_bio))
1327                                                 {
1328                                                 fprintf(stderr,"ERROR in SERVER\n");
1329                                                 goto err;
1330                                                 }
1331                                         /* Ignore "BIO_should_retry". */
1332                                         }
1333                                 else if (r == 0)
1334                                         {
1335                                         fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1336                                         goto err;
1337                                         }
1338                                 else
1339                                         {
1340                                         if (debug)
1341                                                 printf("server wrote %d\n", r);
1342                                         sw_num -= r;                            
1343                                         }
1344                                 }
1345
1346                         if (sr_num > 0)
1347                                 {
1348                                 /* Read from client. */
1349
1350                                 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1351                                 if (r < 0)
1352                                         {
1353                                         if (!BIO_should_retry(s_ssl_bio))
1354                                                 {
1355                                                 fprintf(stderr,"ERROR in SERVER\n");
1356                                                 goto err;
1357                                                 }
1358                                         /* blah, blah */
1359                                         }
1360                                 else if (r == 0)
1361                                         {
1362                                         fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1363                                         goto err;
1364                                         }
1365                                 else
1366                                         {
1367                                         if (debug)
1368                                                 printf("server read %d\n", r);
1369                                         sr_num -= r;
1370                                         }
1371                                 }
1372
1373                         *s_time += (clock() - s_clock);
1374                         }
1375                         
1376                         {
1377                         /* "I/O" BETWEEN CLIENT AND SERVER. */
1378
1379                         size_t r1, r2;
1380                         BIO *io1 = server_io, *io2 = client_io;
1381                         /* we use the non-copying interface for io1
1382                          * and the standard BIO_write/BIO_read interface for io2
1383                          */
1384                         
1385                         static int prev_progress = 1;
1386                         int progress = 0;
1387                         
1388                         /* io1 to io2 */
1389                         do
1390                                 {
1391                                 size_t num;
1392                                 int r;
1393
1394                                 r1 = BIO_ctrl_pending(io1);
1395                                 r2 = BIO_ctrl_get_write_guarantee(io2);
1396
1397                                 num = r1;
1398                                 if (r2 < num)
1399                                         num = r2;
1400                                 if (num)
1401                                         {
1402                                         char *dataptr;
1403
1404                                         if (INT_MAX < num) /* yeah, right */
1405                                                 num = INT_MAX;
1406                                         
1407                                         r = BIO_nread(io1, &dataptr, (int)num);
1408                                         assert(r > 0);
1409                                         assert(r <= (int)num);
1410                                         /* possibly r < num (non-contiguous data) */
1411                                         num = r;
1412                                         r = BIO_write(io2, dataptr, (int)num);
1413                                         if (r != (int)num) /* can't happen */
1414                                                 {
1415                                                 fprintf(stderr, "ERROR: BIO_write could not write "
1416                                                         "BIO_ctrl_get_write_guarantee() bytes");
1417                                                 goto err;
1418                                                 }
1419                                         progress = 1;
1420
1421                                         if (debug)
1422                                                 printf((io1 == client_io) ?
1423                                                         "C->S relaying: %d bytes\n" :
1424                                                         "S->C relaying: %d bytes\n",
1425                                                         (int)num);
1426                                         }
1427                                 }
1428                         while (r1 && r2);
1429
1430                         /* io2 to io1 */
1431                         {
1432                                 size_t num;
1433                                 int r;
1434
1435                                 r1 = BIO_ctrl_pending(io2);
1436                                 r2 = BIO_ctrl_get_read_request(io1);
1437                                 /* here we could use ..._get_write_guarantee instead of
1438                                  * ..._get_read_request, but by using the latter
1439                                  * we test restartability of the SSL implementation
1440                                  * more thoroughly */
1441                                 num = r1;
1442                                 if (r2 < num)
1443                                         num = r2;
1444                                 if (num)
1445                                         {
1446                                         char *dataptr;
1447                                         
1448                                         if (INT_MAX < num)
1449                                                 num = INT_MAX;
1450
1451                                         if (num > 1)
1452                                                 --num; /* test restartability even more thoroughly */
1453                                         
1454                                         r = BIO_nwrite0(io1, &dataptr);
1455                                         assert(r > 0);
1456                                         if (r < (int)num)
1457                                                 num = r;
1458                                         r = BIO_read(io2, dataptr, (int)num);
1459                                         if (r != (int)num) /* can't happen */
1460                                                 {
1461                                                 fprintf(stderr, "ERROR: BIO_read could not read "
1462                                                         "BIO_ctrl_pending() bytes");
1463                                                 goto err;
1464                                                 }
1465                                         progress = 1;
1466                                         r = BIO_nwrite(io1, &dataptr, (int)num);
1467                                         if (r != (int)num) /* can't happen */
1468                                                 {
1469                                                 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1470                                                         "BIO_nwrite0() bytes");
1471                                                 goto err;
1472                                                 }
1473                                         
1474                                         if (debug)
1475                                                 printf((io2 == client_io) ?
1476                                                         "C->S relaying: %d bytes\n" :
1477                                                         "S->C relaying: %d bytes\n",
1478                                                         (int)num);
1479                                         }
1480                         } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1481
1482                         if (!progress && !prev_progress)
1483                                 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1484                                         {
1485                                         fprintf(stderr, "ERROR: got stuck\n");
1486                                         if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1487                                                 {
1488                                                 fprintf(stderr, "This can happen for SSL2 because "
1489                                                         "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1490                                                         "concurrently ...");
1491                                                 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1492                                                         && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1493                                                         {
1494                                                         fprintf(stderr, " ok.\n");
1495                                                         goto end;
1496                                                         }
1497                                                 }
1498                                         fprintf(stderr, " ERROR.\n");
1499                                         goto err;
1500                                         }
1501                         prev_progress = progress;
1502                         }
1503                 }
1504         while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1505
1506         if (verbose)
1507                 print_details(c_ssl, "DONE via BIO pair: ");
1508 #ifndef OPENSSL_NO_NPN
1509         if (verify_npn(c_ssl, s_ssl) < 0)
1510                 {
1511                 ret = 1;
1512                 goto end;
1513                 }
1514 #endif
1515 end:
1516         ret = 0;
1517
1518  err:
1519         ERR_print_errors(bio_err);
1520         
1521         if (server)
1522                 BIO_free(server);
1523         if (server_io)
1524                 BIO_free(server_io);
1525         if (client)
1526                 BIO_free(client);
1527         if (client_io)
1528                 BIO_free(client_io);
1529         if (s_ssl_bio)
1530                 BIO_free(s_ssl_bio);
1531         if (c_ssl_bio)
1532                 BIO_free(c_ssl_bio);
1533
1534         return ret;
1535         }
1536
1537
1538 #define W_READ  1
1539 #define W_WRITE 2
1540 #define C_DONE  1
1541 #define S_DONE  2
1542
1543 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1544         {
1545         MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1546         long cw_num=count,cr_num=count;
1547         long sw_num=count,sr_num=count;
1548         int ret=1;
1549         BIO *c_to_s=NULL;
1550         BIO *s_to_c=NULL;
1551         BIO *c_bio=NULL;
1552         BIO *s_bio=NULL;
1553         int c_r,c_w,s_r,s_w;
1554         int i,j;
1555         int done=0;
1556         int c_write,s_write;
1557         int do_server=0,do_client=0;
1558
1559         memset(cbuf,0,sizeof(cbuf));
1560         memset(sbuf,0,sizeof(sbuf));
1561
1562         c_to_s=BIO_new(BIO_s_mem());
1563         s_to_c=BIO_new(BIO_s_mem());
1564         if ((s_to_c == NULL) || (c_to_s == NULL))
1565                 {
1566                 ERR_print_errors(bio_err);
1567                 goto err;
1568                 }
1569
1570         c_bio=BIO_new(BIO_f_ssl());
1571         s_bio=BIO_new(BIO_f_ssl());
1572         if ((c_bio == NULL) || (s_bio == NULL))
1573                 {
1574                 ERR_print_errors(bio_err);
1575                 goto err;
1576                 }
1577
1578         SSL_set_connect_state(c_ssl);
1579         SSL_set_bio(c_ssl,s_to_c,c_to_s);
1580         BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1581
1582         SSL_set_accept_state(s_ssl);
1583         SSL_set_bio(s_ssl,c_to_s,s_to_c);
1584         BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1585
1586         c_r=0; s_r=1;
1587         c_w=1; s_w=0;
1588         c_write=1,s_write=0;
1589
1590         /* We can always do writes */
1591         for (;;)
1592                 {
1593                 do_server=0;
1594                 do_client=0;
1595
1596                 i=(int)BIO_pending(s_bio);
1597                 if ((i && s_r) || s_w) do_server=1;
1598
1599                 i=(int)BIO_pending(c_bio);
1600                 if ((i && c_r) || c_w) do_client=1;
1601
1602                 if (do_server && debug)
1603                         {
1604                         if (SSL_in_init(s_ssl))
1605                                 printf("server waiting in SSL_accept - %s\n",
1606                                         SSL_state_string_long(s_ssl));
1607 /*                      else if (s_write)
1608                                 printf("server:SSL_write()\n");
1609                         else
1610                                 printf("server:SSL_read()\n"); */
1611                         }
1612
1613                 if (do_client && debug)
1614                         {
1615                         if (SSL_in_init(c_ssl))
1616                                 printf("client waiting in SSL_connect - %s\n",
1617                                         SSL_state_string_long(c_ssl));
1618 /*                      else if (c_write)
1619                                 printf("client:SSL_write()\n");
1620                         else
1621                                 printf("client:SSL_read()\n"); */
1622                         }
1623
1624                 if (!do_client && !do_server)
1625                         {
1626                         fprintf(stdout,"ERROR IN STARTUP\n");
1627                         ERR_print_errors(bio_err);
1628                         break;
1629                         }
1630                 if (do_client && !(done & C_DONE))
1631                         {
1632                         if (c_write)
1633                                 {
1634                                 j = (cw_num > (long)sizeof(cbuf)) ?
1635                                         (int)sizeof(cbuf) : (int)cw_num;
1636                                 i=BIO_write(c_bio,cbuf,j);
1637                                 if (i < 0)
1638                                         {
1639                                         c_r=0;
1640                                         c_w=0;
1641                                         if (BIO_should_retry(c_bio))
1642                                                 {
1643                                                 if (BIO_should_read(c_bio))
1644                                                         c_r=1;
1645                                                 if (BIO_should_write(c_bio))
1646                                                         c_w=1;
1647                                                 }
1648                                         else
1649                                                 {
1650                                                 fprintf(stderr,"ERROR in CLIENT\n");
1651                                                 ERR_print_errors(bio_err);
1652                                                 goto err;
1653                                                 }
1654                                         }
1655                                 else if (i == 0)
1656                                         {
1657                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1658                                         goto err;
1659                                         }
1660                                 else
1661                                         {
1662                                         if (debug)
1663                                                 printf("client wrote %d\n",i);
1664                                         /* ok */
1665                                         s_r=1;
1666                                         c_write=0;
1667                                         cw_num-=i;
1668                                         }
1669                                 }
1670                         else
1671                                 {
1672                                 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1673                                 if (i < 0)
1674                                         {
1675                                         c_r=0;
1676                                         c_w=0;
1677                                         if (BIO_should_retry(c_bio))
1678                                                 {
1679                                                 if (BIO_should_read(c_bio))
1680                                                         c_r=1;
1681                                                 if (BIO_should_write(c_bio))
1682                                                         c_w=1;
1683                                                 }
1684                                         else
1685                                                 {
1686                                                 fprintf(stderr,"ERROR in CLIENT\n");
1687                                                 ERR_print_errors(bio_err);
1688                                                 goto err;
1689                                                 }
1690                                         }
1691                                 else if (i == 0)
1692                                         {
1693                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1694                                         goto err;
1695                                         }
1696                                 else
1697                                         {
1698                                         if (debug)
1699                                                 printf("client read %d\n",i);
1700                                         cr_num-=i;
1701                                         if (sw_num > 0)
1702                                                 {
1703                                                 s_write=1;
1704                                                 s_w=1;
1705                                                 }
1706                                         if (cr_num <= 0)
1707                                                 {
1708                                                 s_write=1;
1709                                                 s_w=1;
1710                                                 done=S_DONE|C_DONE;
1711                                                 }
1712                                         }
1713                                 }
1714                         }
1715
1716                 if (do_server && !(done & S_DONE))
1717                         {
1718                         if (!s_write)
1719                                 {
1720                                 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1721                                 if (i < 0)
1722                                         {
1723                                         s_r=0;
1724                                         s_w=0;
1725                                         if (BIO_should_retry(s_bio))
1726                                                 {
1727                                                 if (BIO_should_read(s_bio))
1728                                                         s_r=1;
1729                                                 if (BIO_should_write(s_bio))
1730                                                         s_w=1;
1731                                                 }
1732                                         else
1733                                                 {
1734                                                 fprintf(stderr,"ERROR in SERVER\n");
1735                                                 ERR_print_errors(bio_err);
1736                                                 goto err;
1737                                                 }
1738                                         }
1739                                 else if (i == 0)
1740                                         {
1741                                         ERR_print_errors(bio_err);
1742                                         fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1743                                         goto err;
1744                                         }
1745                                 else
1746                                         {
1747                                         if (debug)
1748                                                 printf("server read %d\n",i);
1749                                         sr_num-=i;
1750                                         if (cw_num > 0)
1751                                                 {
1752                                                 c_write=1;
1753                                                 c_w=1;
1754                                                 }
1755                                         if (sr_num <= 0)
1756                                                 {
1757                                                 s_write=1;
1758                                                 s_w=1;
1759                                                 c_write=0;
1760                                                 }
1761                                         }
1762                                 }
1763                         else
1764                                 {
1765                                 j = (sw_num > (long)sizeof(sbuf)) ?
1766                                         (int)sizeof(sbuf) : (int)sw_num;
1767                                 i=BIO_write(s_bio,sbuf,j);
1768                                 if (i < 0)
1769                                         {
1770                                         s_r=0;
1771                                         s_w=0;
1772                                         if (BIO_should_retry(s_bio))
1773                                                 {
1774                                                 if (BIO_should_read(s_bio))
1775                                                         s_r=1;
1776                                                 if (BIO_should_write(s_bio))
1777                                                         s_w=1;
1778                                                 }
1779                                         else
1780                                                 {
1781                                                 fprintf(stderr,"ERROR in SERVER\n");
1782                                                 ERR_print_errors(bio_err);
1783                                                 goto err;
1784                                                 }
1785                                         }
1786                                 else if (i == 0)
1787                                         {
1788                                         ERR_print_errors(bio_err);
1789                                         fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1790                                         goto err;
1791                                         }
1792                                 else
1793                                         {
1794                                         if (debug)
1795                                                 printf("server wrote %d\n",i);
1796                                         sw_num-=i;
1797                                         s_write=0;
1798                                         c_r=1;
1799                                         if (sw_num <= 0)
1800                                                 done|=S_DONE;
1801                                         }
1802                                 }
1803                         }
1804
1805                 if ((done & S_DONE) && (done & C_DONE)) break;
1806                 }
1807
1808         if (verbose)
1809                 print_details(c_ssl, "DONE: ");
1810 #ifndef OPENSSL_NO_NPN
1811         if (verify_npn(c_ssl, s_ssl) < 0)
1812                 {
1813                 ret = 1;
1814                 goto err;
1815                 }
1816 #endif
1817         ret=0;
1818 err:
1819         /* We have to set the BIO's to NULL otherwise they will be
1820          * OPENSSL_free()ed twice.  Once when th s_ssl is SSL_free()ed and
1821          * again when c_ssl is SSL_free()ed.
1822          * This is a hack required because s_ssl and c_ssl are sharing the same
1823          * BIO structure and SSL_set_bio() and SSL_free() automatically
1824          * BIO_free non NULL entries.
1825          * You should not normally do this or be required to do this */
1826         if (s_ssl != NULL)
1827                 {
1828                 s_ssl->rbio=NULL;
1829                 s_ssl->wbio=NULL;
1830                 }
1831         if (c_ssl != NULL)
1832                 {
1833                 c_ssl->rbio=NULL;
1834                 c_ssl->wbio=NULL;
1835                 }
1836
1837         if (c_to_s != NULL) BIO_free(c_to_s);
1838         if (s_to_c != NULL) BIO_free(s_to_c);
1839         if (c_bio != NULL) BIO_free_all(c_bio);
1840         if (s_bio != NULL) BIO_free_all(s_bio);
1841         return(ret);
1842         }
1843
1844 static int get_proxy_auth_ex_data_idx(void)
1845         {
1846         static volatile int idx = -1;
1847         if (idx < 0)
1848                 {
1849                 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1850                 if (idx < 0)
1851                         {
1852                         idx = X509_STORE_CTX_get_ex_new_index(0,
1853                                 "SSLtest for verify callback", NULL,NULL,NULL);
1854                         }
1855                 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1856                 }
1857         return idx;
1858         }
1859
1860 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1861         {
1862         char *s,buf[256];
1863
1864         s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1865                             sizeof buf);
1866         if (s != NULL)
1867                 {
1868                 if (ok)
1869                         fprintf(stderr,"depth=%d %s\n",
1870                                 ctx->error_depth,buf);
1871                 else
1872                         {
1873                         fprintf(stderr,"depth=%d error=%d %s\n",
1874                                 ctx->error_depth,ctx->error,buf);
1875                         }
1876                 }
1877
1878         if (ok == 0)
1879                 {
1880                 fprintf(stderr,"Error string: %s\n",
1881                         X509_verify_cert_error_string(ctx->error));
1882                 switch (ctx->error)
1883                         {
1884                 case X509_V_ERR_CERT_NOT_YET_VALID:
1885                 case X509_V_ERR_CERT_HAS_EXPIRED:
1886                 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1887                         fprintf(stderr,"  ... ignored.\n");
1888                         ok=1;
1889                         }
1890                 }
1891
1892         if (ok == 1)
1893                 {
1894                 X509 *xs = ctx->current_cert;
1895 #if 0
1896                 X509 *xi = ctx->current_issuer;
1897 #endif
1898
1899                 if (xs->ex_flags & EXFLAG_PROXY)
1900                         {
1901                         unsigned int *letters =
1902                                 X509_STORE_CTX_get_ex_data(ctx,
1903                                         get_proxy_auth_ex_data_idx());
1904
1905                         if (letters)
1906                                 {
1907                                 int found_any = 0;
1908                                 int i;
1909                                 PROXY_CERT_INFO_EXTENSION *pci =
1910                                         X509_get_ext_d2i(xs, NID_proxyCertInfo,
1911                                                 NULL, NULL);
1912
1913                                 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1914                                         {
1915                                 case NID_Independent:
1916                                         /* Completely meaningless in this
1917                                            program, as there's no way to
1918                                            grant explicit rights to a
1919                                            specific PrC.  Basically, using
1920                                            id-ppl-Independent is the perfect
1921                                            way to grant no rights at all. */
1922                                         fprintf(stderr, "  Independent proxy certificate");
1923                                         for (i = 0; i < 26; i++)
1924                                                 letters[i] = 0;
1925                                         break;
1926                                 case NID_id_ppl_inheritAll:
1927                                         /* This is basically a NOP, we
1928                                            simply let the current rights
1929                                            stand as they are. */
1930                                         fprintf(stderr, "  Proxy certificate inherits all");
1931                                         break;
1932                                 default:
1933                                         s = (char *)
1934                                                 pci->proxyPolicy->policy->data;
1935                                         i = pci->proxyPolicy->policy->length;
1936
1937                                         /* The algorithm works as follows:
1938                                            it is assumed that previous
1939                                            iterations or the initial granted
1940                                            rights has already set some elements
1941                                            of `letters'.  What we need to do is
1942                                            to clear those that weren't granted
1943                                            by the current PrC as well.  The
1944                                            easiest way to do this is to add 1
1945                                            to all the elements whose letters
1946                                            are given with the current policy.
1947                                            That way, all elements that are set
1948                                            by the current policy and were
1949                                            already set by earlier policies and
1950                                            through the original grant of rights
1951                                            will get the value 2 or higher.
1952                                            The last thing to do is to sweep
1953                                            through `letters' and keep the
1954                                            elements having the value 2 as set,
1955                                            and clear all the others. */
1956
1957                                         fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
1958                                         while(i-- > 0)
1959                                                 {
1960                                                 int c = *s++;
1961                                                 if (isascii(c) && isalpha(c))
1962                                                         {
1963                                                         if (islower(c))
1964                                                                 c = toupper(c);
1965                                                         letters[c - 'A']++;
1966                                                         }
1967                                                 }
1968                                         for (i = 0; i < 26; i++)
1969                                                 if (letters[i] < 2)
1970                                                         letters[i] = 0;
1971                                                 else
1972                                                         letters[i] = 1;
1973                                         }
1974
1975                                 found_any = 0;
1976                                 fprintf(stderr,
1977                                         ", resulting proxy rights = ");
1978                                 for(i = 0; i < 26; i++)
1979                                         if (letters[i])
1980                                                 {
1981                                                 fprintf(stderr, "%c", i + 'A');
1982                                                 found_any = 1;
1983                                                 }
1984                                 if (!found_any)
1985                                         fprintf(stderr, "none");
1986                                 fprintf(stderr, "\n");
1987
1988                                 PROXY_CERT_INFO_EXTENSION_free(pci);
1989                                 }
1990                         }
1991                 }
1992
1993         return(ok);
1994         }
1995
1996 static void process_proxy_debug(int indent, const char *format, ...)
1997         {
1998         static const char indentation[] =
1999                 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2000                 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2001         char my_format[256];
2002         va_list args;
2003
2004         BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2005                 indent, indent, indentation, format);
2006
2007         va_start(args, format);
2008         vfprintf(stderr, my_format, args);
2009         va_end(args);
2010         }
2011 /* Priority levels:
2012    0    [!]var, ()
2013    1    & ^
2014    2    |
2015 */
2016 static int process_proxy_cond_adders(unsigned int letters[26],
2017         const char *cond, const char **cond_end, int *pos, int indent);
2018 static int process_proxy_cond_val(unsigned int letters[26],
2019         const char *cond, const char **cond_end, int *pos, int indent)
2020         {
2021         int c;
2022         int ok = 1;
2023         int negate = 0;
2024
2025         while(isspace((int)*cond))
2026                 {
2027                 cond++; (*pos)++;
2028                 }
2029         c = *cond;
2030
2031         if (debug)
2032                 process_proxy_debug(indent,
2033                         "Start process_proxy_cond_val at position %d: %s\n",
2034                         *pos, cond);
2035
2036         while(c == '!')
2037                 {
2038                 negate = !negate;
2039                 cond++; (*pos)++;
2040                 while(isspace((int)*cond))
2041                         {
2042                         cond++; (*pos)++;
2043                         }
2044                 c = *cond;
2045                 }
2046
2047         if (c == '(')
2048                 {
2049                 cond++; (*pos)++;
2050                 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2051                         indent + 1);
2052                 cond = *cond_end;
2053                 if (ok < 0)
2054                         goto end;
2055                 while(isspace((int)*cond))
2056                         {
2057                         cond++; (*pos)++;
2058                         }
2059                 c = *cond;
2060                 if (c != ')')
2061                         {
2062                         fprintf(stderr,
2063                                 "Weird condition character in position %d: "
2064                                 "%c\n", *pos, c);
2065                         ok = -1;
2066                         goto end;
2067                         }
2068                 cond++; (*pos)++;
2069                 }
2070         else if (isascii(c) && isalpha(c))
2071                 {
2072                 if (islower(c))
2073                         c = toupper(c);
2074                 ok = letters[c - 'A'];
2075                 cond++; (*pos)++;
2076                 }
2077         else
2078                 {
2079                 fprintf(stderr,
2080                         "Weird condition character in position %d: "
2081                         "%c\n", *pos, c);
2082                 ok = -1;
2083                 goto end;
2084                 }
2085  end:
2086         *cond_end = cond;
2087         if (ok >= 0 && negate)
2088                 ok = !ok;
2089
2090         if (debug)
2091                 process_proxy_debug(indent,
2092                         "End process_proxy_cond_val at position %d: %s, returning %d\n",
2093                         *pos, cond, ok);
2094
2095         return ok;
2096         }
2097 static int process_proxy_cond_multipliers(unsigned int letters[26],
2098         const char *cond, const char **cond_end, int *pos, int indent)
2099         {
2100         int ok;
2101         char c;
2102
2103         if (debug)
2104                 process_proxy_debug(indent,
2105                         "Start process_proxy_cond_multipliers at position %d: %s\n",
2106                         *pos, cond);
2107
2108         ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2109         cond = *cond_end;
2110         if (ok < 0)
2111                 goto end;
2112
2113         while(ok >= 0)
2114                 {
2115                 while(isspace((int)*cond))
2116                         {
2117                         cond++; (*pos)++;
2118                         }
2119                 c = *cond;
2120
2121                 switch(c)
2122                         {
2123                 case '&':
2124                 case '^':
2125                         {
2126                         int save_ok = ok;
2127
2128                         cond++; (*pos)++;
2129                         ok = process_proxy_cond_val(letters,
2130                                 cond, cond_end, pos, indent + 1);
2131                         cond = *cond_end;
2132                         if (ok < 0)
2133                                 break;
2134
2135                         switch(c)
2136                                 {
2137                         case '&':
2138                                 ok &= save_ok;
2139                                 break;
2140                         case '^':
2141                                 ok ^= save_ok;
2142                                 break;
2143                         default:
2144                                 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2145                                         " STOPPING\n");
2146                                 EXIT(1);
2147                                 }
2148                         }
2149                         break;
2150                 default:
2151                         goto end;
2152                         }
2153                 }
2154  end:
2155         if (debug)
2156                 process_proxy_debug(indent,
2157                         "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2158                         *pos, cond, ok);
2159
2160         *cond_end = cond;
2161         return ok;
2162         }
2163 static int process_proxy_cond_adders(unsigned int letters[26],
2164         const char *cond, const char **cond_end, int *pos, int indent)
2165         {
2166         int ok;
2167         char c;
2168
2169         if (debug)
2170                 process_proxy_debug(indent,
2171                         "Start process_proxy_cond_adders at position %d: %s\n",
2172                         *pos, cond);
2173
2174         ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2175                 indent + 1);
2176         cond = *cond_end;
2177         if (ok < 0)
2178                 goto end;
2179
2180         while(ok >= 0)
2181                 {
2182                 while(isspace((int)*cond))
2183                         {
2184                         cond++; (*pos)++;
2185                         }
2186                 c = *cond;
2187
2188                 switch(c)
2189                         {
2190                 case '|':
2191                         {
2192                         int save_ok = ok;
2193
2194                         cond++; (*pos)++;
2195                         ok = process_proxy_cond_multipliers(letters,
2196                                 cond, cond_end, pos, indent + 1);
2197                         cond = *cond_end;
2198                         if (ok < 0)
2199                                 break;
2200
2201                         switch(c)
2202                                 {
2203                         case '|':
2204                                 ok |= save_ok;
2205                                 break;
2206                         default:
2207                                 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2208                                         " STOPPING\n");
2209                                 EXIT(1);
2210                                 }
2211                         }
2212                         break;
2213                 default:
2214                         goto end;
2215                         }
2216                 }
2217  end:
2218         if (debug)
2219                 process_proxy_debug(indent,
2220                         "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2221                         *pos, cond, ok);
2222
2223         *cond_end = cond;
2224         return ok;
2225         }
2226
2227 static int process_proxy_cond(unsigned int letters[26],
2228         const char *cond, const char **cond_end)
2229         {
2230         int pos = 1;
2231         return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2232         }
2233
2234 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2235         {
2236         int ok=1;
2237         struct app_verify_arg *cb_arg = arg;
2238         unsigned int letters[26]; /* only used with proxy_auth */
2239
2240         if (cb_arg->app_verify)
2241                 {
2242                 char *s = NULL,buf[256];
2243
2244                 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2245                 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2246                 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2247                         (void *)ctx, (void *)ctx->cert);
2248                 if (ctx->cert)
2249                         s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2250                 if (s != NULL)
2251                         {
2252                         fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2253                         }
2254                 return(1);
2255                 }
2256         if (cb_arg->proxy_auth)
2257                 {
2258                 int found_any = 0, i;
2259                 char *sp;
2260
2261                 for(i = 0; i < 26; i++)
2262                         letters[i] = 0;
2263                 for(sp = cb_arg->proxy_auth; *sp; sp++)
2264                         {
2265                         int c = *sp;
2266                         if (isascii(c) && isalpha(c))
2267                                 {
2268                                 if (islower(c))
2269                                         c = toupper(c);
2270                                 letters[c - 'A'] = 1;
2271                                 }
2272                         }
2273
2274                 fprintf(stderr,
2275                         "  Initial proxy rights = ");
2276                 for(i = 0; i < 26; i++)
2277                         if (letters[i])
2278                                 {
2279                                 fprintf(stderr, "%c", i + 'A');
2280                                 found_any = 1;
2281                                 }
2282                 if (!found_any)
2283                         fprintf(stderr, "none");
2284                 fprintf(stderr, "\n");
2285
2286                 X509_STORE_CTX_set_ex_data(ctx,
2287                         get_proxy_auth_ex_data_idx(),letters);
2288                 }
2289         if (cb_arg->allow_proxy_certs)
2290                 {
2291                 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2292                 }
2293
2294 #ifndef OPENSSL_NO_X509_VERIFY
2295 # ifdef OPENSSL_FIPS
2296         if(s->version == TLS1_VERSION)
2297                 FIPS_allow_md5(1);
2298 # endif
2299         ok = X509_verify_cert(ctx);
2300 # ifdef OPENSSL_FIPS
2301         if(s->version == TLS1_VERSION)
2302                 FIPS_allow_md5(0);
2303 # endif
2304 #endif
2305
2306         if (cb_arg->proxy_auth)
2307                 {
2308                 if (ok > 0)
2309                         {
2310                         const char *cond_end = NULL;
2311
2312                         ok = process_proxy_cond(letters,
2313                                 cb_arg->proxy_cond, &cond_end);
2314
2315                         if (ok < 0)
2316                                 EXIT(3);
2317                         if (*cond_end)
2318                                 {
2319                                 fprintf(stderr, "Stopped processing condition before it's end.\n");
2320                                 ok = 0;
2321                                 }
2322                         if (!ok)
2323                                 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2324                                         cb_arg->proxy_cond);
2325                         else
2326                                 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2327                                         cb_arg->proxy_cond);
2328                         }
2329                 }
2330         return(ok);
2331         }
2332
2333 #ifndef OPENSSL_NO_RSA
2334 static RSA *rsa_tmp=NULL;
2335
2336 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2337         {
2338         BIGNUM *bn = NULL;
2339         if (rsa_tmp == NULL)
2340                 {
2341                 bn = BN_new();
2342                 rsa_tmp = RSA_new();
2343                 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2344                         {
2345                         BIO_printf(bio_err, "Memory error...");
2346                         goto end;
2347                         }
2348                 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2349                 (void)BIO_flush(bio_err);
2350                 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2351                         {
2352                         BIO_printf(bio_err, "Error generating key.");
2353                         RSA_free(rsa_tmp);
2354                         rsa_tmp = NULL;
2355                         }
2356 end:
2357                 BIO_printf(bio_err,"\n");
2358                 (void)BIO_flush(bio_err);
2359                 }
2360         if(bn) BN_free(bn);
2361         return(rsa_tmp);
2362         }
2363
2364 static void free_tmp_rsa(void)
2365         {
2366         if (rsa_tmp != NULL)
2367                 {
2368                 RSA_free(rsa_tmp);
2369                 rsa_tmp = NULL;
2370                 }
2371         }
2372 #endif
2373
2374 #ifndef OPENSSL_NO_DH
2375 /* These DH parameters have been generated as follows:
2376  *    $ openssl dhparam -C -noout 512
2377  *    $ openssl dhparam -C -noout 1024
2378  *    $ openssl dhparam -C -noout -dsaparam 1024
2379  * (The third function has been renamed to avoid name conflicts.)
2380  */
2381 static DH *get_dh512()
2382         {
2383         static unsigned char dh512_p[]={
2384                 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2385                 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2386                 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2387                 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2388                 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2389                 0x02,0xC5,0xAE,0x23,
2390                 };
2391         static unsigned char dh512_g[]={
2392                 0x02,
2393                 };
2394         DH *dh;
2395
2396         if ((dh=DH_new()) == NULL) return(NULL);
2397         dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2398         dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2399         if ((dh->p == NULL) || (dh->g == NULL))
2400                 { DH_free(dh); return(NULL); }
2401         return(dh);
2402         }
2403
2404 static DH *get_dh1024()
2405         {
2406         static unsigned char dh1024_p[]={
2407                 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2408                 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2409                 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2410                 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2411                 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2412                 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2413                 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2414                 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2415                 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2416                 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2417                 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2418                 };
2419         static unsigned char dh1024_g[]={
2420                 0x02,
2421                 };
2422         DH *dh;
2423
2424         if ((dh=DH_new()) == NULL) return(NULL);
2425         dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2426         dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2427         if ((dh->p == NULL) || (dh->g == NULL))
2428                 { DH_free(dh); return(NULL); }
2429         return(dh);
2430         }
2431
2432 static DH *get_dh1024dsa()
2433         {
2434         static unsigned char dh1024_p[]={
2435                 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2436                 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2437                 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2438                 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2439                 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2440                 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2441                 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2442                 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2443                 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2444                 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2445                 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2446                 };
2447         static unsigned char dh1024_g[]={
2448                 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2449                 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2450                 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2451                 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2452                 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2453                 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2454                 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2455                 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2456                 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2457                 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2458                 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2459                 };
2460         DH *dh;
2461
2462         if ((dh=DH_new()) == NULL) return(NULL);
2463         dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2464         dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2465         if ((dh->p == NULL) || (dh->g == NULL))
2466                 { DH_free(dh); return(NULL); }
2467         dh->length = 160;
2468         return(dh);
2469         }
2470 #endif
2471
2472 #ifndef OPENSSL_NO_PSK
2473 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2474 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2475         unsigned int max_psk_len)
2476         {
2477         int ret;
2478         BIGNUM *bn = NULL;
2479
2480         ret = BN_hex2bn(&bn, pskkey);
2481         if (!ret)
2482                 {
2483                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey); 
2484                 if (bn)
2485                         BN_free(bn);
2486                 return 0;
2487                 }
2488         if (BN_num_bytes(bn) > (int)max_psk_len)
2489                 {
2490                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2491                         max_psk_len, BN_num_bytes(bn));
2492                 BN_free(bn);
2493                 return 0;
2494                 }
2495         ret = BN_bn2bin(bn, psk);
2496         BN_free(bn);
2497         return ret;
2498         }
2499
2500 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2501         unsigned int max_identity_len, unsigned char *psk,
2502         unsigned int max_psk_len)
2503         {
2504         int ret;
2505         unsigned int psk_len = 0;
2506
2507         ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2508         if (ret < 0)
2509                 goto out_err;
2510         if (debug)
2511                 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2512         ret = psk_key2bn(psk_key, psk, max_psk_len);
2513         if (ret < 0)
2514                 goto out_err;
2515         psk_len = ret;
2516 out_err:
2517         return psk_len;
2518         }
2519
2520 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2521         unsigned char *psk, unsigned int max_psk_len)
2522         {
2523         unsigned int psk_len=0;
2524
2525         if (strcmp(identity, "Client_identity") != 0)
2526                 {
2527                 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2528                 return 0;
2529                 }
2530         psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2531         return psk_len;
2532         }
2533 #endif
2534
2535 static int do_test_cipherlist(void)
2536         {
2537         int i = 0;
2538         const SSL_METHOD *meth;
2539         const SSL_CIPHER *ci, *tci = NULL;
2540
2541 #ifndef OPENSSL_NO_SSL2
2542         fprintf(stderr, "testing SSLv2 cipher list order: ");
2543         meth = SSLv2_method();
2544         while ((ci = meth->get_cipher(i++)) != NULL)
2545                 {
2546                 if (tci != NULL)
2547                         if (ci->id >= tci->id)
2548                                 {
2549                                 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2550                                 return 0;
2551                                 }
2552                 tci = ci;
2553                 }
2554         fprintf(stderr, "ok\n");
2555 #endif
2556 #ifndef OPENSSL_NO_SSL3
2557         fprintf(stderr, "testing SSLv3 cipher list order: ");
2558         meth = SSLv3_method();
2559         tci = NULL;
2560         while ((ci = meth->get_cipher(i++)) != NULL)
2561                 {
2562                 if (tci != NULL)
2563                         if (ci->id >= tci->id)
2564                                 {
2565                                 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2566                                 return 0;
2567                                 }
2568                 tci = ci;
2569                 }
2570         fprintf(stderr, "ok\n");
2571 #endif
2572 #ifndef OPENSSL_NO_TLS1
2573         fprintf(stderr, "testing TLSv1 cipher list order: ");
2574         meth = TLSv1_method();
2575         tci = NULL;
2576         while ((ci = meth->get_cipher(i++)) != NULL)
2577                 {
2578                 if (tci != NULL)
2579                         if (ci->id >= tci->id)
2580                                 {
2581                                 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2582                                 return 0;
2583                                 }
2584                 tci = ci;
2585                 }
2586         fprintf(stderr, "ok\n");
2587 #endif
2588
2589         return 1;
2590         }