evp: prevent underflow in base64 decoding
[openssl.git] / ssl / ssltest.c
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by 
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116 /* ====================================================================
117  * Copyright 2005 Nokia. All rights reserved.
118  *
119  * The portions of the attached software ("Contribution") is developed by
120  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121  * license.
122  *
123  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125  * support (see RFC 4279) to OpenSSL.
126  *
127  * No patent licenses or other rights except those expressly stated in
128  * the OpenSSL open source license shall be deemed granted or received
129  * expressly, by implication, estoppel, or otherwise.
130  *
131  * No assurances are provided by Nokia that the Contribution does not
132  * infringe the patent or other intellectual property rights of any third
133  * party or that the license provides you with all the necessary rights
134  * to make use of the Contribution.
135  *
136  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140  * OTHERWISE.
141  */
142
143 #define _BSD_SOURCE 1           /* Or gethostname won't be declared properly
144                                    on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500       /* Or isascii won't be declared properly on
159                                    VMS (at least with DECompHP C).  */
160 #endif
161
162 #include <ctype.h>
163
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #ifndef OPENSSL_NO_SRP
185 #include <openssl/srp.h>
186 #endif
187 #include <openssl/bn.h>
188
189 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
190                                      on Compaq platforms (at least with DEC C).
191                                      Do not try to put it earlier, or IPv6 includes
192                                      get screwed...
193                                   */
194
195 #ifdef OPENSSL_SYS_WINDOWS
196 #include <winsock.h>
197 #else
198 #include OPENSSL_UNISTD
199 #endif
200
201 #ifdef OPENSSL_SYS_VMS
202 #  define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203 #  define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
204 #elif defined(OPENSSL_SYS_WINCE)
205 #  define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206 #  define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
207 #elif defined(OPENSSL_SYS_NETWARE)
208 #  define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209 #  define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
210 #else
211 #  define TEST_SERVER_CERT "../apps/server.pem"
212 #  define TEST_CLIENT_CERT "../apps/client.pem"
213 #endif
214
215 /* There is really no standard for this, so let's assign some tentative
216    numbers.  In any case, these numbers are only for this test */
217 #define COMP_RLE        255
218 #define COMP_ZLIB       1
219
220 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
221 #ifndef OPENSSL_NO_RSA
222 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
223 static void free_tmp_rsa(void);
224 #endif
225 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
226 #define APP_CALLBACK_STRING "Test Callback Argument"
227 struct app_verify_arg
228         {
229         char *string;
230         int app_verify;
231         int allow_proxy_certs;
232         char *proxy_auth;
233         char *proxy_cond;
234         };
235
236 #ifndef OPENSSL_NO_DH
237 static DH *get_dh512(void);
238 static DH *get_dh1024(void);
239 static DH *get_dh1024dsa(void);
240 #endif
241
242
243 static char *psk_key=NULL; /* by default PSK is not used */
244 #ifndef OPENSSL_NO_PSK
245 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
246         unsigned int max_identity_len, unsigned char *psk,
247         unsigned int max_psk_len);
248 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249         unsigned int max_psk_len);
250 #endif
251
252 #ifndef OPENSSL_NO_SRP
253 /* SRP client */
254 /* This is a context that we pass to all callbacks */
255 typedef struct srp_client_arg_st
256         {
257         char *srppassin;
258         char *srplogin;
259         } SRP_CLIENT_ARG;
260
261 #define PWD_STRLEN 1024
262
263 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
264         {
265         SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266         return BUF_strdup((char *)srp_client_arg->srppassin);
267         }
268
269 /* SRP server */
270 /* This is a context that we pass to SRP server callbacks */
271 typedef struct srp_server_arg_st
272         {
273         char *expected_user;
274         char *pass;
275         } SRP_SERVER_ARG;
276
277 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
278         {
279         SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281         if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282                 {
283                 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284                 return SSL3_AL_FATAL;
285                 }
286         if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287                 {
288                 *ad = SSL_AD_INTERNAL_ERROR;
289                 return SSL3_AL_FATAL;
290                 }
291         return SSL_ERROR_NONE;
292         }
293 #endif
294
295 static BIO *bio_err=NULL;
296 static BIO *bio_stdout=NULL;
297
298 static char *cipher=NULL;
299 static int verbose=0;
300 static int debug=0;
301 #if 0
302 /* Not used yet. */
303 #ifdef FIONBIO
304 static int s_nbio=0;
305 #endif
306 #endif
307
308 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
309
310 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
311 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
312 static int do_test_cipherlist(void);
313 static void sv_usage(void)
314         {
315         fprintf(stderr,"usage: ssltest [args ...]\n");
316         fprintf(stderr,"\n");
317 #ifdef OPENSSL_FIPS
318         fprintf(stderr,"-F             - run test in FIPS mode\n");
319 #endif
320         fprintf(stderr," -server_auth  - check server certificate\n");
321         fprintf(stderr," -client_auth  - do client authentication\n");
322         fprintf(stderr," -proxy        - allow proxy certificates\n");
323         fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
324         fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
325         fprintf(stderr," -v            - more output\n");
326         fprintf(stderr," -d            - debug output\n");
327         fprintf(stderr," -reuse        - use session-id reuse\n");
328         fprintf(stderr," -num <val>    - number of connections to perform\n");
329         fprintf(stderr," -bytes <val>  - number of bytes to swap between client/server\n");
330 #ifndef OPENSSL_NO_DH
331         fprintf(stderr," -dhe1024      - use 1024 bit key (safe prime) for DHE\n");
332         fprintf(stderr," -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
333         fprintf(stderr," -no_dhe       - disable DHE\n");
334 #endif
335 #ifndef OPENSSL_NO_ECDH
336         fprintf(stderr," -no_ecdhe     - disable ECDHE\n");
337 #endif
338 #ifndef OPENSSL_NO_PSK
339         fprintf(stderr," -psk arg      - PSK in hex (without 0x)\n");
340 #endif
341 #ifndef OPENSSL_NO_SRP
342         fprintf(stderr," -srpuser user  - SRP username to use\n");
343         fprintf(stderr," -srppass arg   - password for 'user'\n");
344 #endif
345 #ifndef OPENSSL_NO_SSL2
346         fprintf(stderr," -ssl2         - use SSLv2\n");
347 #endif
348 #ifndef OPENSSL_NO_SSL3
349         fprintf(stderr," -ssl3         - use SSLv3\n");
350 #endif
351 #ifndef OPENSSL_NO_TLS1
352         fprintf(stderr," -tls1         - use TLSv1\n");
353 #endif
354         fprintf(stderr," -CApath arg   - PEM format directory of CA's\n");
355         fprintf(stderr," -CAfile arg   - PEM format file of CA's\n");
356         fprintf(stderr," -cert arg     - Server certificate file\n");
357         fprintf(stderr," -key arg      - Server key file (default: same as -cert)\n");
358         fprintf(stderr," -c_cert arg   - Client certificate file\n");
359         fprintf(stderr," -c_key arg    - Client key file (default: same as -c_cert)\n");
360         fprintf(stderr," -cipher arg   - The cipher list\n");
361         fprintf(stderr," -bio_pair     - Use BIO pairs\n");
362         fprintf(stderr," -f            - Test even cases that can't work\n");
363         fprintf(stderr," -time         - measure processor time used by client and server\n");
364         fprintf(stderr," -zlib         - use zlib compression\n");
365         fprintf(stderr," -rle          - use rle compression\n");
366 #ifndef OPENSSL_NO_ECDH
367         fprintf(stderr," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
368                        "                 Use \"openssl ecparam -list_curves\" for all names\n"  \
369                        "                 (default is sect163r2).\n");
370 #endif
371         fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
372         }
373
374 static void print_details(SSL *c_ssl, const char *prefix)
375         {
376         const SSL_CIPHER *ciph;
377         X509 *cert;
378                 
379         ciph=SSL_get_current_cipher(c_ssl);
380         BIO_printf(bio_stdout,"%s%s, cipher %s %s",
381                 prefix,
382                 SSL_get_version(c_ssl),
383                 SSL_CIPHER_get_version(ciph),
384                 SSL_CIPHER_get_name(ciph));
385         cert=SSL_get_peer_certificate(c_ssl);
386         if (cert != NULL)
387                 {
388                 EVP_PKEY *pkey = X509_get_pubkey(cert);
389                 if (pkey != NULL)
390                         {
391                         if (0) 
392                                 ;
393 #ifndef OPENSSL_NO_RSA
394                         else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
395                                 && pkey->pkey.rsa->n != NULL)
396                                 {
397                                 BIO_printf(bio_stdout, ", %d bit RSA",
398                                         BN_num_bits(pkey->pkey.rsa->n));
399                                 }
400 #endif
401 #ifndef OPENSSL_NO_DSA
402                         else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
403                                 && pkey->pkey.dsa->p != NULL)
404                                 {
405                                 BIO_printf(bio_stdout, ", %d bit DSA",
406                                         BN_num_bits(pkey->pkey.dsa->p));
407                                 }
408 #endif
409                         EVP_PKEY_free(pkey);
410                         }
411                 X509_free(cert);
412                 }
413         /* The SSL API does not allow us to look at temporary RSA/DH keys,
414          * otherwise we should print their lengths too */
415         BIO_printf(bio_stdout,"\n");
416         }
417
418 static void lock_dbg_cb(int mode, int type, const char *file, int line)
419         {
420         static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
421         const char *errstr = NULL;
422         int rw;
423         
424         rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
425         if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
426                 {
427                 errstr = "invalid mode";
428                 goto err;
429                 }
430
431         if (type < 0 || type >= CRYPTO_NUM_LOCKS)
432                 {
433                 errstr = "type out of bounds";
434                 goto err;
435                 }
436
437         if (mode & CRYPTO_LOCK)
438                 {
439                 if (modes[type])
440                         {
441                         errstr = "already locked";
442                         /* must not happen in a single-threaded program
443                          * (would deadlock) */
444                         goto err;
445                         }
446
447                 modes[type] = rw;
448                 }
449         else if (mode & CRYPTO_UNLOCK)
450                 {
451                 if (!modes[type])
452                         {
453                         errstr = "not locked";
454                         goto err;
455                         }
456                 
457                 if (modes[type] != rw)
458                         {
459                         errstr = (rw == CRYPTO_READ) ?
460                                 "CRYPTO_r_unlock on write lock" :
461                                 "CRYPTO_w_unlock on read lock";
462                         }
463
464                 modes[type] = 0;
465                 }
466         else
467                 {
468                 errstr = "invalid mode";
469                 goto err;
470                 }
471
472  err:
473         if (errstr)
474                 {
475                 /* we cannot use bio_err here */
476                 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
477                         errstr, mode, type, file, line);
478                 }
479         }
480
481 #ifdef TLSEXT_TYPE_opaque_prf_input
482 struct cb_info_st { void *input; size_t len; int ret; };
483 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
484 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
485 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
486 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
487
488 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
489         {
490         struct cb_info_st *arg = arg_;
491
492         if (arg == NULL)
493                 return 1;
494         
495         if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
496                 return 0;
497         return arg->ret;
498         }
499 #endif
500
501 int main(int argc, char *argv[])
502         {
503         char *CApath=NULL,*CAfile=NULL;
504         int badop=0;
505         int bio_pair=0;
506         int force=0;
507         int tls1=0,ssl2=0,ssl3=0,ret=1;
508         int client_auth=0;
509         int server_auth=0,i;
510         struct app_verify_arg app_verify_arg =
511                 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
512         char *server_cert=TEST_SERVER_CERT;
513         char *server_key=NULL;
514         char *client_cert=TEST_CLIENT_CERT;
515         char *client_key=NULL;
516 #ifndef OPENSSL_NO_ECDH
517         char *named_curve = NULL;
518 #endif
519         SSL_CTX *s_ctx=NULL;
520         SSL_CTX *c_ctx=NULL;
521         const SSL_METHOD *meth=NULL;
522         SSL *c_ssl,*s_ssl;
523         int number=1,reuse=0;
524         long bytes=256L;
525 #ifndef OPENSSL_NO_DH
526         DH *dh;
527         int dhe1024 = 0, dhe1024dsa = 0;
528 #endif
529 #ifndef OPENSSL_NO_ECDH
530         EC_KEY *ecdh = NULL;
531 #endif
532 #ifndef OPENSSL_NO_SRP
533         /* client */
534         SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
535         /* server */
536         SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
537 #endif
538         int no_dhe = 0;
539         int no_ecdhe = 0;
540         int no_psk = 0;
541         int print_time = 0;
542         clock_t s_time = 0, c_time = 0;
543         int comp = 0;
544 #ifndef OPENSSL_NO_COMP
545         COMP_METHOD *cm = NULL;
546         STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
547 #endif
548         int test_cipherlist = 0;
549 #ifdef OPENSSL_FIPS
550         int fips_mode=0;
551 #endif
552
553         verbose = 0;
554         debug = 0;
555         cipher = 0;
556
557         bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);     
558
559         CRYPTO_set_locking_callback(lock_dbg_cb);
560
561         /* enable memory leak checking unless explicitly disabled */
562         if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
563                 {
564                 CRYPTO_malloc_debug_init();
565                 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
566                 }
567         else
568                 {
569                 /* OPENSSL_DEBUG_MEMORY=off */
570                 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
571                 }
572         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
573
574         RAND_seed(rnd_seed, sizeof rnd_seed);
575
576         bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
577
578         argc--;
579         argv++;
580
581         while (argc >= 1)
582                 {
583                 if(!strcmp(*argv,"-F"))
584                         {
585 #ifdef OPENSSL_FIPS
586                         fips_mode=1;
587 #else
588                         fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
589                         EXIT(0);
590 #endif
591                         }
592                 else if (strcmp(*argv,"-server_auth") == 0)
593                         server_auth=1;
594                 else if (strcmp(*argv,"-client_auth") == 0)
595                         client_auth=1;
596                 else if (strcmp(*argv,"-proxy_auth") == 0)
597                         {
598                         if (--argc < 1) goto bad;
599                         app_verify_arg.proxy_auth= *(++argv);
600                         }
601                 else if (strcmp(*argv,"-proxy_cond") == 0)
602                         {
603                         if (--argc < 1) goto bad;
604                         app_verify_arg.proxy_cond= *(++argv);
605                         }
606                 else if (strcmp(*argv,"-v") == 0)
607                         verbose=1;
608                 else if (strcmp(*argv,"-d") == 0)
609                         debug=1;
610                 else if (strcmp(*argv,"-reuse") == 0)
611                         reuse=1;
612                 else if (strcmp(*argv,"-dhe1024") == 0)
613                         {
614 #ifndef OPENSSL_NO_DH
615                         dhe1024=1;
616 #else
617                         fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
618 #endif
619                         }
620                 else if (strcmp(*argv,"-dhe1024dsa") == 0)
621                         {
622 #ifndef OPENSSL_NO_DH
623                         dhe1024dsa=1;
624 #else
625                         fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
626 #endif
627                         }
628                 else if (strcmp(*argv,"-no_dhe") == 0)
629                         no_dhe=1;
630                 else if (strcmp(*argv,"-no_ecdhe") == 0)
631                         no_ecdhe=1;
632                 else if (strcmp(*argv,"-psk") == 0)
633                         {
634                         if (--argc < 1) goto bad;
635                         psk_key=*(++argv);
636 #ifndef OPENSSL_NO_PSK
637                         if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
638                                 {
639                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
640                                 goto bad;
641                                 }
642 #else
643                         no_psk=1;
644 #endif
645                         }
646 #ifndef OPENSSL_NO_SRP
647                 else if (strcmp(*argv,"-srpuser") == 0)
648                         {
649                         if (--argc < 1) goto bad;
650                         srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
651                         tls1=1;
652                         }
653                 else if (strcmp(*argv,"-srppass") == 0)
654                         {
655                         if (--argc < 1) goto bad;
656                         srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
657                         tls1=1;
658                         }
659 #endif
660                 else if (strcmp(*argv,"-ssl2") == 0)
661                         ssl2=1;
662                 else if (strcmp(*argv,"-tls1") == 0)
663                         tls1=1;
664                 else if (strcmp(*argv,"-ssl3") == 0)
665                         ssl3=1;
666                 else if (strncmp(*argv,"-num",4) == 0)
667                         {
668                         if (--argc < 1) goto bad;
669                         number= atoi(*(++argv));
670                         if (number == 0) number=1;
671                         }
672                 else if (strcmp(*argv,"-bytes") == 0)
673                         {
674                         if (--argc < 1) goto bad;
675                         bytes= atol(*(++argv));
676                         if (bytes == 0L) bytes=1L;
677                         i=strlen(argv[0]);
678                         if (argv[0][i-1] == 'k') bytes*=1024L;
679                         if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
680                         }
681                 else if (strcmp(*argv,"-cert") == 0)
682                         {
683                         if (--argc < 1) goto bad;
684                         server_cert= *(++argv);
685                         }
686                 else if (strcmp(*argv,"-s_cert") == 0)
687                         {
688                         if (--argc < 1) goto bad;
689                         server_cert= *(++argv);
690                         }
691                 else if (strcmp(*argv,"-key") == 0)
692                         {
693                         if (--argc < 1) goto bad;
694                         server_key= *(++argv);
695                         }
696                 else if (strcmp(*argv,"-s_key") == 0)
697                         {
698                         if (--argc < 1) goto bad;
699                         server_key= *(++argv);
700                         }
701                 else if (strcmp(*argv,"-c_cert") == 0)
702                         {
703                         if (--argc < 1) goto bad;
704                         client_cert= *(++argv);
705                         }
706                 else if (strcmp(*argv,"-c_key") == 0)
707                         {
708                         if (--argc < 1) goto bad;
709                         client_key= *(++argv);
710                         }
711                 else if (strcmp(*argv,"-cipher") == 0)
712                         {
713                         if (--argc < 1) goto bad;
714                         cipher= *(++argv);
715                         }
716                 else if (strcmp(*argv,"-CApath") == 0)
717                         {
718                         if (--argc < 1) goto bad;
719                         CApath= *(++argv);
720                         }
721                 else if (strcmp(*argv,"-CAfile") == 0)
722                         {
723                         if (--argc < 1) goto bad;
724                         CAfile= *(++argv);
725                         }
726                 else if (strcmp(*argv,"-bio_pair") == 0)
727                         {
728                         bio_pair = 1;
729                         }
730                 else if (strcmp(*argv,"-f") == 0)
731                         {
732                         force = 1;
733                         }
734                 else if (strcmp(*argv,"-time") == 0)
735                         {
736                         print_time = 1;
737                         }
738                 else if (strcmp(*argv,"-zlib") == 0)
739                         {
740                         comp = COMP_ZLIB;
741                         }
742                 else if (strcmp(*argv,"-rle") == 0)
743                         {
744                         comp = COMP_RLE;
745                         }
746                 else if (strcmp(*argv,"-named_curve") == 0)
747                         {
748                         if (--argc < 1) goto bad;
749 #ifndef OPENSSL_NO_ECDH         
750                         named_curve = *(++argv);
751 #else
752                         fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
753                         ++argv;
754 #endif
755                         }
756                 else if (strcmp(*argv,"-app_verify") == 0)
757                         {
758                         app_verify_arg.app_verify = 1;
759                         }
760                 else if (strcmp(*argv,"-proxy") == 0)
761                         {
762                         app_verify_arg.allow_proxy_certs = 1;
763                         }
764                 else if (strcmp(*argv,"-test_cipherlist") == 0)
765                         {
766                         test_cipherlist = 1;
767                         }
768                 else
769                         {
770                         fprintf(stderr,"unknown option %s\n",*argv);
771                         badop=1;
772                         break;
773                         }
774                 argc--;
775                 argv++;
776                 }
777         if (badop)
778                 {
779 bad:
780                 sv_usage();
781                 goto end;
782                 }
783
784         if (test_cipherlist == 1)
785                 {
786                 /* ensure that the cipher list are correctly sorted and exit */
787                 if (do_test_cipherlist() == 0)
788                         EXIT(1);
789                 ret = 0;
790                 goto end;
791                 }
792
793         if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
794                 {
795                 fprintf(stderr, "This case cannot work.  Use -f to perform "
796                         "the test anyway (and\n-d to see what happens), "
797                         "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
798                         "to avoid protocol mismatch.\n");
799                 EXIT(1);
800                 }
801
802 #ifdef OPENSSL_FIPS
803         if(fips_mode)
804                 {
805                 if(!FIPS_mode_set(1))
806                         {
807                         ERR_load_crypto_strings();
808                         ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
809                         EXIT(1);
810                         }
811                 else
812                         fprintf(stderr,"*** IN FIPS MODE ***\n");
813                 }
814 #endif
815
816         if (print_time)
817                 {
818                 if (!bio_pair)
819                         {
820                         fprintf(stderr, "Using BIO pair (-bio_pair)\n");
821                         bio_pair = 1;
822                         }
823                 if (number < 50 && !force)
824                         fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
825                 }
826
827 /*      if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
828
829         SSL_library_init();
830         SSL_load_error_strings();
831
832 #ifndef OPENSSL_NO_COMP
833         if (comp == COMP_ZLIB) cm = COMP_zlib();
834         if (comp == COMP_RLE) cm = COMP_rle();
835         if (cm != NULL)
836                 {
837                 if (cm->type != NID_undef)
838                         {
839                         if (SSL_COMP_add_compression_method(comp, cm) != 0)
840                                 {
841                                 fprintf(stderr,
842                                         "Failed to add compression method\n");
843                                 ERR_print_errors_fp(stderr);
844                                 }
845                         }
846                 else
847                         {
848                         fprintf(stderr,
849                                 "Warning: %s compression not supported\n",
850                                 (comp == COMP_RLE ? "rle" :
851                                         (comp == COMP_ZLIB ? "zlib" :
852                                                 "unknown")));
853                         ERR_print_errors_fp(stderr);
854                         }
855                 }
856         ssl_comp_methods = SSL_COMP_get_compression_methods();
857         fprintf(stderr, "Available compression methods:\n");
858         {
859         int j, n = sk_SSL_COMP_num(ssl_comp_methods);
860         if (n == 0)
861                 fprintf(stderr, "  NONE\n");
862         else
863                 for (j = 0; j < n; j++)
864                         {
865                         SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
866                         fprintf(stderr, "  %d: %s\n", c->id, c->name);
867                         }
868         }
869 #endif
870
871 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
872         if (ssl2)
873                 meth=SSLv2_method();
874         else 
875         if (tls1)
876                 meth=TLSv1_method();
877         else
878         if (ssl3)
879                 meth=SSLv3_method();
880         else
881                 meth=SSLv23_method();
882 #else
883 #ifdef OPENSSL_NO_SSL2
884         if (tls1)
885                 meth=TLSv1_method();
886         else
887         if (ssl3)
888                 meth=SSLv3_method();
889         else
890                 meth=SSLv23_method();
891 #else
892         meth=SSLv2_method();
893 #endif
894 #endif
895
896         c_ctx=SSL_CTX_new(meth);
897         s_ctx=SSL_CTX_new(meth);
898         if ((c_ctx == NULL) || (s_ctx == NULL))
899                 {
900                 ERR_print_errors(bio_err);
901                 goto end;
902                 }
903
904         if (cipher != NULL)
905                 {
906                 SSL_CTX_set_cipher_list(c_ctx,cipher);
907                 SSL_CTX_set_cipher_list(s_ctx,cipher);
908                 }
909
910 #ifndef OPENSSL_NO_DH
911         if (!no_dhe)
912                 {
913                 if (dhe1024dsa)
914                         {
915                         /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
916                         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
917                         dh=get_dh1024dsa();
918                         }
919                 else if (dhe1024)
920                         dh=get_dh1024();
921                 else
922                         dh=get_dh512();
923                 SSL_CTX_set_tmp_dh(s_ctx,dh);
924                 DH_free(dh);
925                 }
926 #else
927         (void)no_dhe;
928 #endif
929
930 #ifndef OPENSSL_NO_ECDH
931         if (!no_ecdhe)
932                 {
933                 int nid;
934
935                 if (named_curve != NULL)
936                         {
937                         nid = OBJ_sn2nid(named_curve);
938                         if (nid == 0)
939                         {
940                                 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
941                                 goto end;
942                                 }
943                         }
944                 else
945 #ifdef OPENSSL_NO_EC2M
946                         nid = NID_X9_62_prime256v1;
947 #else
948                         nid = NID_sect163r2;
949 #endif
950
951                 ecdh = EC_KEY_new_by_curve_name(nid);
952                 if (ecdh == NULL)
953                         {
954                         BIO_printf(bio_err, "unable to create curve\n");
955                         goto end;
956                         }
957
958                 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
959                 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
960                 EC_KEY_free(ecdh);
961                 }
962 #else
963         (void)no_ecdhe;
964 #endif
965
966 #ifndef OPENSSL_NO_RSA
967         SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
968 #endif
969
970 #ifdef TLSEXT_TYPE_opaque_prf_input
971         SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
972         SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
973         SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
974         SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
975 #endif
976
977         if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
978                 {
979                 ERR_print_errors(bio_err);
980                 }
981         else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
982                 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
983                 {
984                 ERR_print_errors(bio_err);
985                 goto end;
986                 }
987
988         if (client_auth)
989                 {
990                 SSL_CTX_use_certificate_file(c_ctx,client_cert,
991                         SSL_FILETYPE_PEM);
992                 SSL_CTX_use_PrivateKey_file(c_ctx,
993                         (client_key?client_key:client_cert),
994                         SSL_FILETYPE_PEM);
995                 }
996
997         if (    (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
998                 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
999                 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
1000                 (!SSL_CTX_set_default_verify_paths(c_ctx)))
1001                 {
1002                 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1003                 ERR_print_errors(bio_err);
1004                 /* goto end; */
1005                 }
1006
1007         if (client_auth)
1008                 {
1009                 BIO_printf(bio_err,"client authentication\n");
1010                 SSL_CTX_set_verify(s_ctx,
1011                         SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1012                         verify_callback);
1013                 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1014                 }
1015         if (server_auth)
1016                 {
1017                 BIO_printf(bio_err,"server authentication\n");
1018                 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1019                         verify_callback);
1020                 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1021                 }
1022         
1023         {
1024                 int session_id_context = 0;
1025                 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1026         }
1027
1028         /* Use PSK only if PSK key is given */
1029         if (psk_key != NULL)
1030                 {
1031                 /* no_psk is used to avoid putting psk command to openssl tool */
1032                 if (no_psk)
1033                         {
1034                         /* if PSK is not compiled in and psk key is
1035                          * given, do nothing and exit successfully */
1036                         ret=0;
1037                         goto end;
1038                         }
1039 #ifndef OPENSSL_NO_PSK
1040                 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1041                 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1042                 if (debug)
1043                         BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1044                 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1045                         {
1046                         BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1047                         ERR_print_errors(bio_err);
1048                         goto end;
1049                         }
1050 #endif
1051                 }
1052 #ifndef OPENSSL_NO_SRP
1053         if (srp_client_arg.srplogin)
1054                 {
1055                 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1056                         {
1057                         BIO_printf(bio_err,"Unable to set SRP username\n");
1058                         goto end;
1059                         }
1060                 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1061                 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1062                 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1063                 }
1064
1065         if (srp_server_arg.expected_user != NULL)
1066                 {
1067                 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1068                 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1069                 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1070                 }
1071 #endif
1072
1073         c_ssl=SSL_new(c_ctx);
1074         s_ssl=SSL_new(s_ctx);
1075
1076 #ifndef OPENSSL_NO_KRB5
1077         if (c_ssl  &&  c_ssl->kssl_ctx)
1078                 {
1079                 char    localhost[MAXHOSTNAMELEN+2];
1080
1081                 if (gethostname(localhost, sizeof localhost-1) == 0)
1082                         {
1083                         localhost[sizeof localhost-1]='\0';
1084                         if(strlen(localhost) == sizeof localhost-1)
1085                                 {
1086                                 BIO_printf(bio_err,"localhost name too long\n");
1087                                 goto end;
1088                                 }
1089                         kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1090                                 localhost);
1091                         }
1092                 }
1093 #endif    /* OPENSSL_NO_KRB5  */
1094
1095         for (i=0; i<number; i++)
1096                 {
1097                 if (!reuse) SSL_set_session(c_ssl,NULL);
1098                 if (bio_pair)
1099                         ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1100                 else
1101                         ret=doit(s_ssl,c_ssl,bytes);
1102                 }
1103
1104         if (!verbose)
1105                 {
1106                 print_details(c_ssl, "");
1107                 }
1108         if ((number > 1) || (bytes > 1L))
1109                 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1110         if (print_time)
1111                 {
1112 #ifdef CLOCKS_PER_SEC
1113                 /* "To determine the time in seconds, the value returned
1114                  * by the clock function should be divided by the value
1115                  * of the macro CLOCKS_PER_SEC."
1116                  *                                       -- ISO/IEC 9899 */
1117                 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1118                         "Approximate total client time: %6.2f s\n",
1119                         (double)s_time/CLOCKS_PER_SEC,
1120                         (double)c_time/CLOCKS_PER_SEC);
1121 #else
1122                 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1123                  *                            -- cc on NeXTstep/OpenStep */
1124                 BIO_printf(bio_stdout,
1125                         "Approximate total server time: %6.2f units\n"
1126                         "Approximate total client time: %6.2f units\n",
1127                         (double)s_time,
1128                         (double)c_time);
1129 #endif
1130                 }
1131
1132         SSL_free(s_ssl);
1133         SSL_free(c_ssl);
1134
1135 end:
1136         if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1137         if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1138
1139         if (bio_stdout != NULL) BIO_free(bio_stdout);
1140
1141 #ifndef OPENSSL_NO_RSA
1142         free_tmp_rsa();
1143 #endif
1144 #ifndef OPENSSL_NO_ENGINE
1145         ENGINE_cleanup();
1146 #endif
1147         CRYPTO_cleanup_all_ex_data();
1148         ERR_free_strings();
1149         ERR_remove_thread_state(NULL);
1150         EVP_cleanup();
1151         CRYPTO_mem_leaks(bio_err);
1152         if (bio_err != NULL) BIO_free(bio_err);
1153         EXIT(ret);
1154         return ret;
1155         }
1156
1157 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1158         clock_t *s_time, clock_t *c_time)
1159         {
1160         long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1161         BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1162         BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1163         int ret = 1;
1164         
1165         size_t bufsiz = 256; /* small buffer for testing */
1166
1167         if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1168                 goto err;
1169         if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1170                 goto err;
1171         
1172         s_ssl_bio = BIO_new(BIO_f_ssl());
1173         if (!s_ssl_bio)
1174                 goto err;
1175
1176         c_ssl_bio = BIO_new(BIO_f_ssl());
1177         if (!c_ssl_bio)
1178                 goto err;
1179
1180         SSL_set_connect_state(c_ssl);
1181         SSL_set_bio(c_ssl, client, client);
1182         (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1183
1184         SSL_set_accept_state(s_ssl);
1185         SSL_set_bio(s_ssl, server, server);
1186         (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1187
1188         do
1189                 {
1190                 /* c_ssl_bio:          SSL filter BIO
1191                  *
1192                  * client:             pseudo-I/O for SSL library
1193                  *
1194                  * client_io:          client's SSL communication; usually to be
1195                  *                     relayed over some I/O facility, but in this
1196                  *                     test program, we're the server, too:
1197                  *
1198                  * server_io:          server's SSL communication
1199                  *
1200                  * server:             pseudo-I/O for SSL library
1201                  *
1202                  * s_ssl_bio:          SSL filter BIO
1203                  *
1204                  * The client and the server each employ a "BIO pair":
1205                  * client + client_io, server + server_io.
1206                  * BIO pairs are symmetric.  A BIO pair behaves similar
1207                  * to a non-blocking socketpair (but both endpoints must
1208                  * be handled by the same thread).
1209                  * [Here we could connect client and server to the ends
1210                  * of a single BIO pair, but then this code would be less
1211                  * suitable as an example for BIO pairs in general.]
1212                  *
1213                  * Useful functions for querying the state of BIO pair endpoints:
1214                  *
1215                  * BIO_ctrl_pending(bio)              number of bytes we can read now
1216                  * BIO_ctrl_get_read_request(bio)     number of bytes needed to fulfil
1217                  *                                      other side's read attempt
1218                  * BIO_ctrl_get_write_guarantee(bio)   number of bytes we can write now
1219                  *
1220                  * ..._read_request is never more than ..._write_guarantee;
1221                  * it depends on the application which one you should use.
1222                  */
1223
1224                 /* We have non-blocking behaviour throughout this test program, but
1225                  * can be sure that there is *some* progress in each iteration; so
1226                  * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1227                  * -- we just try everything in each iteration
1228                  */
1229
1230                         {
1231                         /* CLIENT */
1232                 
1233                         MS_STATIC char cbuf[1024*8];
1234                         int i, r;
1235                         clock_t c_clock = clock();
1236
1237                         memset(cbuf, 0, sizeof(cbuf));
1238
1239                         if (debug)
1240                                 if (SSL_in_init(c_ssl))
1241                                         printf("client waiting in SSL_connect - %s\n",
1242                                                 SSL_state_string_long(c_ssl));
1243
1244                         if (cw_num > 0)
1245                                 {
1246                                 /* Write to server. */
1247                                 
1248                                 if (cw_num > (long)sizeof cbuf)
1249                                         i = sizeof cbuf;
1250                                 else
1251                                         i = (int)cw_num;
1252                                 r = BIO_write(c_ssl_bio, cbuf, i);
1253                                 if (r < 0)
1254                                         {
1255                                         if (!BIO_should_retry(c_ssl_bio))
1256                                                 {
1257                                                 fprintf(stderr,"ERROR in CLIENT\n");
1258                                                 goto err;
1259                                                 }
1260                                         /* BIO_should_retry(...) can just be ignored here.
1261                                          * The library expects us to call BIO_write with
1262                                          * the same arguments again, and that's what we will
1263                                          * do in the next iteration. */
1264                                         }
1265                                 else if (r == 0)
1266                                         {
1267                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1268                                         goto err;
1269                                         }
1270                                 else
1271                                         {
1272                                         if (debug)
1273                                                 printf("client wrote %d\n", r);
1274                                         cw_num -= r;                            
1275                                         }
1276                                 }
1277
1278                         if (cr_num > 0)
1279                                 {
1280                                 /* Read from server. */
1281
1282                                 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1283                                 if (r < 0)
1284                                         {
1285                                         if (!BIO_should_retry(c_ssl_bio))
1286                                                 {
1287                                                 fprintf(stderr,"ERROR in CLIENT\n");
1288                                                 goto err;
1289                                                 }
1290                                         /* Again, "BIO_should_retry" can be ignored. */
1291                                         }
1292                                 else if (r == 0)
1293                                         {
1294                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1295                                         goto err;
1296                                         }
1297                                 else
1298                                         {
1299                                         if (debug)
1300                                                 printf("client read %d\n", r);
1301                                         cr_num -= r;
1302                                         }
1303                                 }
1304
1305                         /* c_time and s_time increments will typically be very small
1306                          * (depending on machine speed and clock tick intervals),
1307                          * but sampling over a large number of connections should
1308                          * result in fairly accurate figures.  We cannot guarantee
1309                          * a lot, however -- if each connection lasts for exactly
1310                          * one clock tick, it will be counted only for the client
1311                          * or only for the server or even not at all.
1312                          */
1313                         *c_time += (clock() - c_clock);
1314                         }
1315
1316                         {
1317                         /* SERVER */
1318                 
1319                         MS_STATIC char sbuf[1024*8];
1320                         int i, r;
1321                         clock_t s_clock = clock();
1322
1323                         memset(sbuf, 0, sizeof(sbuf));
1324
1325                         if (debug)
1326                                 if (SSL_in_init(s_ssl))
1327                                         printf("server waiting in SSL_accept - %s\n",
1328                                                 SSL_state_string_long(s_ssl));
1329
1330                         if (sw_num > 0)
1331                                 {
1332                                 /* Write to client. */
1333                                 
1334                                 if (sw_num > (long)sizeof sbuf)
1335                                         i = sizeof sbuf;
1336                                 else
1337                                         i = (int)sw_num;
1338                                 r = BIO_write(s_ssl_bio, sbuf, i);
1339                                 if (r < 0)
1340                                         {
1341                                         if (!BIO_should_retry(s_ssl_bio))
1342                                                 {
1343                                                 fprintf(stderr,"ERROR in SERVER\n");
1344                                                 goto err;
1345                                                 }
1346                                         /* Ignore "BIO_should_retry". */
1347                                         }
1348                                 else if (r == 0)
1349                                         {
1350                                         fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1351                                         goto err;
1352                                         }
1353                                 else
1354                                         {
1355                                         if (debug)
1356                                                 printf("server wrote %d\n", r);
1357                                         sw_num -= r;                            
1358                                         }
1359                                 }
1360
1361                         if (sr_num > 0)
1362                                 {
1363                                 /* Read from client. */
1364
1365                                 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1366                                 if (r < 0)
1367                                         {
1368                                         if (!BIO_should_retry(s_ssl_bio))
1369                                                 {
1370                                                 fprintf(stderr,"ERROR in SERVER\n");
1371                                                 goto err;
1372                                                 }
1373                                         /* blah, blah */
1374                                         }
1375                                 else if (r == 0)
1376                                         {
1377                                         fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1378                                         goto err;
1379                                         }
1380                                 else
1381                                         {
1382                                         if (debug)
1383                                                 printf("server read %d\n", r);
1384                                         sr_num -= r;
1385                                         }
1386                                 }
1387
1388                         *s_time += (clock() - s_clock);
1389                         }
1390                         
1391                         {
1392                         /* "I/O" BETWEEN CLIENT AND SERVER. */
1393
1394                         size_t r1, r2;
1395                         BIO *io1 = server_io, *io2 = client_io;
1396                         /* we use the non-copying interface for io1
1397                          * and the standard BIO_write/BIO_read interface for io2
1398                          */
1399                         
1400                         static int prev_progress = 1;
1401                         int progress = 0;
1402                         
1403                         /* io1 to io2 */
1404                         do
1405                                 {
1406                                 size_t num;
1407                                 int r;
1408
1409                                 r1 = BIO_ctrl_pending(io1);
1410                                 r2 = BIO_ctrl_get_write_guarantee(io2);
1411
1412                                 num = r1;
1413                                 if (r2 < num)
1414                                         num = r2;
1415                                 if (num)
1416                                         {
1417                                         char *dataptr;
1418
1419                                         if (INT_MAX < num) /* yeah, right */
1420                                                 num = INT_MAX;
1421                                         
1422                                         r = BIO_nread(io1, &dataptr, (int)num);
1423                                         assert(r > 0);
1424                                         assert(r <= (int)num);
1425                                         /* possibly r < num (non-contiguous data) */
1426                                         num = r;
1427                                         r = BIO_write(io2, dataptr, (int)num);
1428                                         if (r != (int)num) /* can't happen */
1429                                                 {
1430                                                 fprintf(stderr, "ERROR: BIO_write could not write "
1431                                                         "BIO_ctrl_get_write_guarantee() bytes");
1432                                                 goto err;
1433                                                 }
1434                                         progress = 1;
1435
1436                                         if (debug)
1437                                                 printf((io1 == client_io) ?
1438                                                         "C->S relaying: %d bytes\n" :
1439                                                         "S->C relaying: %d bytes\n",
1440                                                         (int)num);
1441                                         }
1442                                 }
1443                         while (r1 && r2);
1444
1445                         /* io2 to io1 */
1446                         {
1447                                 size_t num;
1448                                 int r;
1449
1450                                 r1 = BIO_ctrl_pending(io2);
1451                                 r2 = BIO_ctrl_get_read_request(io1);
1452                                 /* here we could use ..._get_write_guarantee instead of
1453                                  * ..._get_read_request, but by using the latter
1454                                  * we test restartability of the SSL implementation
1455                                  * more thoroughly */
1456                                 num = r1;
1457                                 if (r2 < num)
1458                                         num = r2;
1459                                 if (num)
1460                                         {
1461                                         char *dataptr;
1462                                         
1463                                         if (INT_MAX < num)
1464                                                 num = INT_MAX;
1465
1466                                         if (num > 1)
1467                                                 --num; /* test restartability even more thoroughly */
1468                                         
1469                                         r = BIO_nwrite0(io1, &dataptr);
1470                                         assert(r > 0);
1471                                         if (r < (int)num)
1472                                                 num = r;
1473                                         r = BIO_read(io2, dataptr, (int)num);
1474                                         if (r != (int)num) /* can't happen */
1475                                                 {
1476                                                 fprintf(stderr, "ERROR: BIO_read could not read "
1477                                                         "BIO_ctrl_pending() bytes");
1478                                                 goto err;
1479                                                 }
1480                                         progress = 1;
1481                                         r = BIO_nwrite(io1, &dataptr, (int)num);
1482                                         if (r != (int)num) /* can't happen */
1483                                                 {
1484                                                 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1485                                                         "BIO_nwrite0() bytes");
1486                                                 goto err;
1487                                                 }
1488                                         
1489                                         if (debug)
1490                                                 printf((io2 == client_io) ?
1491                                                         "C->S relaying: %d bytes\n" :
1492                                                         "S->C relaying: %d bytes\n",
1493                                                         (int)num);
1494                                         }
1495                         } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1496
1497                         if (!progress && !prev_progress)
1498                                 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1499                                         {
1500                                         fprintf(stderr, "ERROR: got stuck\n");
1501                                         if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1502                                                 {
1503                                                 fprintf(stderr, "This can happen for SSL2 because "
1504                                                         "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1505                                                         "concurrently ...");
1506                                                 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1507                                                         && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1508                                                         {
1509                                                         fprintf(stderr, " ok.\n");
1510                                                         goto end;
1511                                                         }
1512                                                 }
1513                                         fprintf(stderr, " ERROR.\n");
1514                                         goto err;
1515                                         }
1516                         prev_progress = progress;
1517                         }
1518                 }
1519         while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1520
1521         if (verbose)
1522                 print_details(c_ssl, "DONE via BIO pair: ");
1523 end:
1524         ret = 0;
1525
1526  err:
1527         ERR_print_errors(bio_err);
1528         
1529         if (server)
1530                 BIO_free(server);
1531         if (server_io)
1532                 BIO_free(server_io);
1533         if (client)
1534                 BIO_free(client);
1535         if (client_io)
1536                 BIO_free(client_io);
1537         if (s_ssl_bio)
1538                 BIO_free(s_ssl_bio);
1539         if (c_ssl_bio)
1540                 BIO_free(c_ssl_bio);
1541
1542         return ret;
1543         }
1544
1545
1546 #define W_READ  1
1547 #define W_WRITE 2
1548 #define C_DONE  1
1549 #define S_DONE  2
1550
1551 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1552         {
1553         MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1554         long cw_num=count,cr_num=count;
1555         long sw_num=count,sr_num=count;
1556         int ret=1;
1557         BIO *c_to_s=NULL;
1558         BIO *s_to_c=NULL;
1559         BIO *c_bio=NULL;
1560         BIO *s_bio=NULL;
1561         int c_r,c_w,s_r,s_w;
1562         int i,j;
1563         int done=0;
1564         int c_write,s_write;
1565         int do_server=0,do_client=0;
1566
1567         memset(cbuf,0,sizeof(cbuf));
1568         memset(sbuf,0,sizeof(sbuf));
1569
1570         c_to_s=BIO_new(BIO_s_mem());
1571         s_to_c=BIO_new(BIO_s_mem());
1572         if ((s_to_c == NULL) || (c_to_s == NULL))
1573                 {
1574                 ERR_print_errors(bio_err);
1575                 goto err;
1576                 }
1577
1578         c_bio=BIO_new(BIO_f_ssl());
1579         s_bio=BIO_new(BIO_f_ssl());
1580         if ((c_bio == NULL) || (s_bio == NULL))
1581                 {
1582                 ERR_print_errors(bio_err);
1583                 goto err;
1584                 }
1585
1586         SSL_set_connect_state(c_ssl);
1587         SSL_set_bio(c_ssl,s_to_c,c_to_s);
1588         BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1589
1590         SSL_set_accept_state(s_ssl);
1591         SSL_set_bio(s_ssl,c_to_s,s_to_c);
1592         BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1593
1594         c_r=0; s_r=1;
1595         c_w=1; s_w=0;
1596         c_write=1,s_write=0;
1597
1598         /* We can always do writes */
1599         for (;;)
1600                 {
1601                 do_server=0;
1602                 do_client=0;
1603
1604                 i=(int)BIO_pending(s_bio);
1605                 if ((i && s_r) || s_w) do_server=1;
1606
1607                 i=(int)BIO_pending(c_bio);
1608                 if ((i && c_r) || c_w) do_client=1;
1609
1610                 if (do_server && debug)
1611                         {
1612                         if (SSL_in_init(s_ssl))
1613                                 printf("server waiting in SSL_accept - %s\n",
1614                                         SSL_state_string_long(s_ssl));
1615 /*                      else if (s_write)
1616                                 printf("server:SSL_write()\n");
1617                         else
1618                                 printf("server:SSL_read()\n"); */
1619                         }
1620
1621                 if (do_client && debug)
1622                         {
1623                         if (SSL_in_init(c_ssl))
1624                                 printf("client waiting in SSL_connect - %s\n",
1625                                         SSL_state_string_long(c_ssl));
1626 /*                      else if (c_write)
1627                                 printf("client:SSL_write()\n");
1628                         else
1629                                 printf("client:SSL_read()\n"); */
1630                         }
1631
1632                 if (!do_client && !do_server)
1633                         {
1634                         fprintf(stdout,"ERROR IN STARTUP\n");
1635                         ERR_print_errors(bio_err);
1636                         break;
1637                         }
1638                 if (do_client && !(done & C_DONE))
1639                         {
1640                         if (c_write)
1641                                 {
1642                                 j = (cw_num > (long)sizeof(cbuf)) ?
1643                                         (int)sizeof(cbuf) : (int)cw_num;
1644                                 i=BIO_write(c_bio,cbuf,j);
1645                                 if (i < 0)
1646                                         {
1647                                         c_r=0;
1648                                         c_w=0;
1649                                         if (BIO_should_retry(c_bio))
1650                                                 {
1651                                                 if (BIO_should_read(c_bio))
1652                                                         c_r=1;
1653                                                 if (BIO_should_write(c_bio))
1654                                                         c_w=1;
1655                                                 }
1656                                         else
1657                                                 {
1658                                                 fprintf(stderr,"ERROR in CLIENT\n");
1659                                                 ERR_print_errors(bio_err);
1660                                                 goto err;
1661                                                 }
1662                                         }
1663                                 else if (i == 0)
1664                                         {
1665                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1666                                         goto err;
1667                                         }
1668                                 else
1669                                         {
1670                                         if (debug)
1671                                                 printf("client wrote %d\n",i);
1672                                         /* ok */
1673                                         s_r=1;
1674                                         c_write=0;
1675                                         cw_num-=i;
1676                                         }
1677                                 }
1678                         else
1679                                 {
1680                                 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1681                                 if (i < 0)
1682                                         {
1683                                         c_r=0;
1684                                         c_w=0;
1685                                         if (BIO_should_retry(c_bio))
1686                                                 {
1687                                                 if (BIO_should_read(c_bio))
1688                                                         c_r=1;
1689                                                 if (BIO_should_write(c_bio))
1690                                                         c_w=1;
1691                                                 }
1692                                         else
1693                                                 {
1694                                                 fprintf(stderr,"ERROR in CLIENT\n");
1695                                                 ERR_print_errors(bio_err);
1696                                                 goto err;
1697                                                 }
1698                                         }
1699                                 else if (i == 0)
1700                                         {
1701                                         fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1702                                         goto err;
1703                                         }
1704                                 else
1705                                         {
1706                                         if (debug)
1707                                                 printf("client read %d\n",i);
1708                                         cr_num-=i;
1709                                         if (sw_num > 0)
1710                                                 {
1711                                                 s_write=1;
1712                                                 s_w=1;
1713                                                 }
1714                                         if (cr_num <= 0)
1715                                                 {
1716                                                 s_write=1;
1717                                                 s_w=1;
1718                                                 done=S_DONE|C_DONE;
1719                                                 }
1720                                         }
1721                                 }
1722                         }
1723
1724                 if (do_server && !(done & S_DONE))
1725                         {
1726                         if (!s_write)
1727                                 {
1728                                 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1729                                 if (i < 0)
1730                                         {
1731                                         s_r=0;
1732                                         s_w=0;
1733                                         if (BIO_should_retry(s_bio))
1734                                                 {
1735                                                 if (BIO_should_read(s_bio))
1736                                                         s_r=1;
1737                                                 if (BIO_should_write(s_bio))
1738                                                         s_w=1;
1739                                                 }
1740                                         else
1741                                                 {
1742                                                 fprintf(stderr,"ERROR in SERVER\n");
1743                                                 ERR_print_errors(bio_err);
1744                                                 goto err;
1745                                                 }
1746                                         }
1747                                 else if (i == 0)
1748                                         {
1749                                         ERR_print_errors(bio_err);
1750                                         fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1751                                         goto err;
1752                                         }
1753                                 else
1754                                         {
1755                                         if (debug)
1756                                                 printf("server read %d\n",i);
1757                                         sr_num-=i;
1758                                         if (cw_num > 0)
1759                                                 {
1760                                                 c_write=1;
1761                                                 c_w=1;
1762                                                 }
1763                                         if (sr_num <= 0)
1764                                                 {
1765                                                 s_write=1;
1766                                                 s_w=1;
1767                                                 c_write=0;
1768                                                 }
1769                                         }
1770                                 }
1771                         else
1772                                 {
1773                                 j = (sw_num > (long)sizeof(sbuf)) ?
1774                                         (int)sizeof(sbuf) : (int)sw_num;
1775                                 i=BIO_write(s_bio,sbuf,j);
1776                                 if (i < 0)
1777                                         {
1778                                         s_r=0;
1779                                         s_w=0;
1780                                         if (BIO_should_retry(s_bio))
1781                                                 {
1782                                                 if (BIO_should_read(s_bio))
1783                                                         s_r=1;
1784                                                 if (BIO_should_write(s_bio))
1785                                                         s_w=1;
1786                                                 }
1787                                         else
1788                                                 {
1789                                                 fprintf(stderr,"ERROR in SERVER\n");
1790                                                 ERR_print_errors(bio_err);
1791                                                 goto err;
1792                                                 }
1793                                         }
1794                                 else if (i == 0)
1795                                         {
1796                                         ERR_print_errors(bio_err);
1797                                         fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1798                                         goto err;
1799                                         }
1800                                 else
1801                                         {
1802                                         if (debug)
1803                                                 printf("server wrote %d\n",i);
1804                                         sw_num-=i;
1805                                         s_write=0;
1806                                         c_r=1;
1807                                         if (sw_num <= 0)
1808                                                 done|=S_DONE;
1809                                         }
1810                                 }
1811                         }
1812
1813                 if ((done & S_DONE) && (done & C_DONE)) break;
1814                 }
1815
1816         if (verbose)
1817                 print_details(c_ssl, "DONE: ");
1818         ret=0;
1819 err:
1820         /* We have to set the BIO's to NULL otherwise they will be
1821          * OPENSSL_free()ed twice.  Once when th s_ssl is SSL_free()ed and
1822          * again when c_ssl is SSL_free()ed.
1823          * This is a hack required because s_ssl and c_ssl are sharing the same
1824          * BIO structure and SSL_set_bio() and SSL_free() automatically
1825          * BIO_free non NULL entries.
1826          * You should not normally do this or be required to do this */
1827         if (s_ssl != NULL)
1828                 {
1829                 s_ssl->rbio=NULL;
1830                 s_ssl->wbio=NULL;
1831                 }
1832         if (c_ssl != NULL)
1833                 {
1834                 c_ssl->rbio=NULL;
1835                 c_ssl->wbio=NULL;
1836                 }
1837
1838         if (c_to_s != NULL) BIO_free(c_to_s);
1839         if (s_to_c != NULL) BIO_free(s_to_c);
1840         if (c_bio != NULL) BIO_free_all(c_bio);
1841         if (s_bio != NULL) BIO_free_all(s_bio);
1842         return(ret);
1843         }
1844
1845 static int get_proxy_auth_ex_data_idx(void)
1846         {
1847         static volatile int idx = -1;
1848         if (idx < 0)
1849                 {
1850                 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1851                 if (idx < 0)
1852                         {
1853                         idx = X509_STORE_CTX_get_ex_new_index(0,
1854                                 "SSLtest for verify callback", NULL,NULL,NULL);
1855                         }
1856                 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1857                 }
1858         return idx;
1859         }
1860
1861 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1862         {
1863         char *s,buf[256];
1864
1865         s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1866                             sizeof buf);
1867         if (s != NULL)
1868                 {
1869                 if (ok)
1870                         fprintf(stderr,"depth=%d %s\n",
1871                                 ctx->error_depth,buf);
1872                 else
1873                         {
1874                         fprintf(stderr,"depth=%d error=%d %s\n",
1875                                 ctx->error_depth,ctx->error,buf);
1876                         }
1877                 }
1878
1879         if (ok == 0)
1880                 {
1881                 fprintf(stderr,"Error string: %s\n",
1882                         X509_verify_cert_error_string(ctx->error));
1883                 switch (ctx->error)
1884                         {
1885                 case X509_V_ERR_CERT_NOT_YET_VALID:
1886                 case X509_V_ERR_CERT_HAS_EXPIRED:
1887                 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1888                         fprintf(stderr,"  ... ignored.\n");
1889                         ok=1;
1890                         }
1891                 }
1892
1893         if (ok == 1)
1894                 {
1895                 X509 *xs = ctx->current_cert;
1896 #if 0
1897                 X509 *xi = ctx->current_issuer;
1898 #endif
1899
1900                 if (xs->ex_flags & EXFLAG_PROXY)
1901                         {
1902                         unsigned int *letters =
1903                                 X509_STORE_CTX_get_ex_data(ctx,
1904                                         get_proxy_auth_ex_data_idx());
1905
1906                         if (letters)
1907                                 {
1908                                 int found_any = 0;
1909                                 int i;
1910                                 PROXY_CERT_INFO_EXTENSION *pci =
1911                                         X509_get_ext_d2i(xs, NID_proxyCertInfo,
1912                                                 NULL, NULL);
1913
1914                                 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1915                                         {
1916                                 case NID_Independent:
1917                                         /* Completely meaningless in this
1918                                            program, as there's no way to
1919                                            grant explicit rights to a
1920                                            specific PrC.  Basically, using
1921                                            id-ppl-Independent is the perfect
1922                                            way to grant no rights at all. */
1923                                         fprintf(stderr, "  Independent proxy certificate");
1924                                         for (i = 0; i < 26; i++)
1925                                                 letters[i] = 0;
1926                                         break;
1927                                 case NID_id_ppl_inheritAll:
1928                                         /* This is basically a NOP, we
1929                                            simply let the current rights
1930                                            stand as they are. */
1931                                         fprintf(stderr, "  Proxy certificate inherits all");
1932                                         break;
1933                                 default:
1934                                         s = (char *)
1935                                                 pci->proxyPolicy->policy->data;
1936                                         i = pci->proxyPolicy->policy->length;
1937
1938                                         /* The algorithm works as follows:
1939                                            it is assumed that previous
1940                                            iterations or the initial granted
1941                                            rights has already set some elements
1942                                            of `letters'.  What we need to do is
1943                                            to clear those that weren't granted
1944                                            by the current PrC as well.  The
1945                                            easiest way to do this is to add 1
1946                                            to all the elements whose letters
1947                                            are given with the current policy.
1948                                            That way, all elements that are set
1949                                            by the current policy and were
1950                                            already set by earlier policies and
1951                                            through the original grant of rights
1952                                            will get the value 2 or higher.
1953                                            The last thing to do is to sweep
1954                                            through `letters' and keep the
1955                                            elements having the value 2 as set,
1956                                            and clear all the others. */
1957
1958                                         fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
1959                                         while(i-- > 0)
1960                                                 {
1961                                                 int c = *s++;
1962                                                 if (isascii(c) && isalpha(c))
1963                                                         {
1964                                                         if (islower(c))
1965                                                                 c = toupper(c);
1966                                                         letters[c - 'A']++;
1967                                                         }
1968                                                 }
1969                                         for (i = 0; i < 26; i++)
1970                                                 if (letters[i] < 2)
1971                                                         letters[i] = 0;
1972                                                 else
1973                                                         letters[i] = 1;
1974                                         }
1975
1976                                 found_any = 0;
1977                                 fprintf(stderr,
1978                                         ", resulting proxy rights = ");
1979                                 for(i = 0; i < 26; i++)
1980                                         if (letters[i])
1981                                                 {
1982                                                 fprintf(stderr, "%c", i + 'A');
1983                                                 found_any = 1;
1984                                                 }
1985                                 if (!found_any)
1986                                         fprintf(stderr, "none");
1987                                 fprintf(stderr, "\n");
1988
1989                                 PROXY_CERT_INFO_EXTENSION_free(pci);
1990                                 }
1991                         }
1992                 }
1993
1994         return(ok);
1995         }
1996
1997 static void process_proxy_debug(int indent, const char *format, ...)
1998         {
1999         static const char indentation[] =
2000                 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2001                 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2002         char my_format[256];
2003         va_list args;
2004
2005         BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2006                 indent, indent, indentation, format);
2007
2008         va_start(args, format);
2009         vfprintf(stderr, my_format, args);
2010         va_end(args);
2011         }
2012 /* Priority levels:
2013    0    [!]var, ()
2014    1    & ^
2015    2    |
2016 */
2017 static int process_proxy_cond_adders(unsigned int letters[26],
2018         const char *cond, const char **cond_end, int *pos, int indent);
2019 static int process_proxy_cond_val(unsigned int letters[26],
2020         const char *cond, const char **cond_end, int *pos, int indent)
2021         {
2022         int c;
2023         int ok = 1;
2024         int negate = 0;
2025
2026         while(isspace((int)*cond))
2027                 {
2028                 cond++; (*pos)++;
2029                 }
2030         c = *cond;
2031
2032         if (debug)
2033                 process_proxy_debug(indent,
2034                         "Start process_proxy_cond_val at position %d: %s\n",
2035                         *pos, cond);
2036
2037         while(c == '!')
2038                 {
2039                 negate = !negate;
2040                 cond++; (*pos)++;
2041                 while(isspace((int)*cond))
2042                         {
2043                         cond++; (*pos)++;
2044                         }
2045                 c = *cond;
2046                 }
2047
2048         if (c == '(')
2049                 {
2050                 cond++; (*pos)++;
2051                 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2052                         indent + 1);
2053                 cond = *cond_end;
2054                 if (ok < 0)
2055                         goto end;
2056                 while(isspace((int)*cond))
2057                         {
2058                         cond++; (*pos)++;
2059                         }
2060                 c = *cond;
2061                 if (c != ')')
2062                         {
2063                         fprintf(stderr,
2064                                 "Weird condition character in position %d: "
2065                                 "%c\n", *pos, c);
2066                         ok = -1;
2067                         goto end;
2068                         }
2069                 cond++; (*pos)++;
2070                 }
2071         else if (isascii(c) && isalpha(c))
2072                 {
2073                 if (islower(c))
2074                         c = toupper(c);
2075                 ok = letters[c - 'A'];
2076                 cond++; (*pos)++;
2077                 }
2078         else
2079                 {
2080                 fprintf(stderr,
2081                         "Weird condition character in position %d: "
2082                         "%c\n", *pos, c);
2083                 ok = -1;
2084                 goto end;
2085                 }
2086  end:
2087         *cond_end = cond;
2088         if (ok >= 0 && negate)
2089                 ok = !ok;
2090
2091         if (debug)
2092                 process_proxy_debug(indent,
2093                         "End process_proxy_cond_val at position %d: %s, returning %d\n",
2094                         *pos, cond, ok);
2095
2096         return ok;
2097         }
2098 static int process_proxy_cond_multipliers(unsigned int letters[26],
2099         const char *cond, const char **cond_end, int *pos, int indent)
2100         {
2101         int ok;
2102         char c;
2103
2104         if (debug)
2105                 process_proxy_debug(indent,
2106                         "Start process_proxy_cond_multipliers at position %d: %s\n",
2107                         *pos, cond);
2108
2109         ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2110         cond = *cond_end;
2111         if (ok < 0)
2112                 goto end;
2113
2114         while(ok >= 0)
2115                 {
2116                 while(isspace((int)*cond))
2117                         {
2118                         cond++; (*pos)++;
2119                         }
2120                 c = *cond;
2121
2122                 switch(c)
2123                         {
2124                 case '&':
2125                 case '^':
2126                         {
2127                         int save_ok = ok;
2128
2129                         cond++; (*pos)++;
2130                         ok = process_proxy_cond_val(letters,
2131                                 cond, cond_end, pos, indent + 1);
2132                         cond = *cond_end;
2133                         if (ok < 0)
2134                                 break;
2135
2136                         switch(c)
2137                                 {
2138                         case '&':
2139                                 ok &= save_ok;
2140                                 break;
2141                         case '^':
2142                                 ok ^= save_ok;
2143                                 break;
2144                         default:
2145                                 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2146                                         " STOPPING\n");
2147                                 EXIT(1);
2148                                 }
2149                         }
2150                         break;
2151                 default:
2152                         goto end;
2153                         }
2154                 }
2155  end:
2156         if (debug)
2157                 process_proxy_debug(indent,
2158                         "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2159                         *pos, cond, ok);
2160
2161         *cond_end = cond;
2162         return ok;
2163         }
2164 static int process_proxy_cond_adders(unsigned int letters[26],
2165         const char *cond, const char **cond_end, int *pos, int indent)
2166         {
2167         int ok;
2168         char c;
2169
2170         if (debug)
2171                 process_proxy_debug(indent,
2172                         "Start process_proxy_cond_adders at position %d: %s\n",
2173                         *pos, cond);
2174
2175         ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2176                 indent + 1);
2177         cond = *cond_end;
2178         if (ok < 0)
2179                 goto end;
2180
2181         while(ok >= 0)
2182                 {
2183                 while(isspace((int)*cond))
2184                         {
2185                         cond++; (*pos)++;
2186                         }
2187                 c = *cond;
2188
2189                 switch(c)
2190                         {
2191                 case '|':
2192                         {
2193                         int save_ok = ok;
2194
2195                         cond++; (*pos)++;
2196                         ok = process_proxy_cond_multipliers(letters,
2197                                 cond, cond_end, pos, indent + 1);
2198                         cond = *cond_end;
2199                         if (ok < 0)
2200                                 break;
2201
2202                         switch(c)
2203                                 {
2204                         case '|':
2205                                 ok |= save_ok;
2206                                 break;
2207                         default:
2208                                 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2209                                         " STOPPING\n");
2210                                 EXIT(1);
2211                                 }
2212                         }
2213                         break;
2214                 default:
2215                         goto end;
2216                         }
2217                 }
2218  end:
2219         if (debug)
2220                 process_proxy_debug(indent,
2221                         "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2222                         *pos, cond, ok);
2223
2224         *cond_end = cond;
2225         return ok;
2226         }
2227
2228 static int process_proxy_cond(unsigned int letters[26],
2229         const char *cond, const char **cond_end)
2230         {
2231         int pos = 1;
2232         return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2233         }
2234
2235 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2236         {
2237         int ok=1;
2238         struct app_verify_arg *cb_arg = arg;
2239         unsigned int letters[26]; /* only used with proxy_auth */
2240
2241         if (cb_arg->app_verify)
2242                 {
2243                 char *s = NULL,buf[256];
2244
2245                 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2246                 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2247                 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2248                         (void *)ctx, (void *)ctx->cert);
2249                 if (ctx->cert)
2250                         s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2251                 if (s != NULL)
2252                         {
2253                         fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2254                         }
2255                 return(1);
2256                 }
2257         if (cb_arg->proxy_auth)
2258                 {
2259                 int found_any = 0, i;
2260                 char *sp;
2261
2262                 for(i = 0; i < 26; i++)
2263                         letters[i] = 0;
2264                 for(sp = cb_arg->proxy_auth; *sp; sp++)
2265                         {
2266                         int c = *sp;
2267                         if (isascii(c) && isalpha(c))
2268                                 {
2269                                 if (islower(c))
2270                                         c = toupper(c);
2271                                 letters[c - 'A'] = 1;
2272                                 }
2273                         }
2274
2275                 fprintf(stderr,
2276                         "  Initial proxy rights = ");
2277                 for(i = 0; i < 26; i++)
2278                         if (letters[i])
2279                                 {
2280                                 fprintf(stderr, "%c", i + 'A');
2281                                 found_any = 1;
2282                                 }
2283                 if (!found_any)
2284                         fprintf(stderr, "none");
2285                 fprintf(stderr, "\n");
2286
2287                 X509_STORE_CTX_set_ex_data(ctx,
2288                         get_proxy_auth_ex_data_idx(),letters);
2289                 }
2290         if (cb_arg->allow_proxy_certs)
2291                 {
2292                 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2293                 }
2294
2295 #ifndef OPENSSL_NO_X509_VERIFY
2296         ok = X509_verify_cert(ctx);
2297 #endif
2298
2299         if (cb_arg->proxy_auth)
2300                 {
2301                 if (ok > 0)
2302                         {
2303                         const char *cond_end = NULL;
2304
2305                         ok = process_proxy_cond(letters,
2306                                 cb_arg->proxy_cond, &cond_end);
2307
2308                         if (ok < 0)
2309                                 EXIT(3);
2310                         if (*cond_end)
2311                                 {
2312                                 fprintf(stderr, "Stopped processing condition before it's end.\n");
2313                                 ok = 0;
2314                                 }
2315                         if (!ok)
2316                                 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2317                                         cb_arg->proxy_cond);
2318                         else
2319                                 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2320                                         cb_arg->proxy_cond);
2321                         }
2322                 }
2323         return(ok);
2324         }
2325
2326 #ifndef OPENSSL_NO_RSA
2327 static RSA *rsa_tmp=NULL;
2328
2329 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2330         {
2331         BIGNUM *bn = NULL;
2332         if (rsa_tmp == NULL)
2333                 {
2334                 bn = BN_new();
2335                 rsa_tmp = RSA_new();
2336                 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2337                         {
2338                         BIO_printf(bio_err, "Memory error...");
2339                         goto end;
2340                         }
2341                 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2342                 (void)BIO_flush(bio_err);
2343                 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2344                         {
2345                         BIO_printf(bio_err, "Error generating key.");
2346                         RSA_free(rsa_tmp);
2347                         rsa_tmp = NULL;
2348                         }
2349 end:
2350                 BIO_printf(bio_err,"\n");
2351                 (void)BIO_flush(bio_err);
2352                 }
2353         if(bn) BN_free(bn);
2354         return(rsa_tmp);
2355         }
2356
2357 static void free_tmp_rsa(void)
2358         {
2359         if (rsa_tmp != NULL)
2360                 {
2361                 RSA_free(rsa_tmp);
2362                 rsa_tmp = NULL;
2363                 }
2364         }
2365 #endif
2366
2367 #ifndef OPENSSL_NO_DH
2368 /* These DH parameters have been generated as follows:
2369  *    $ openssl dhparam -C -noout 512
2370  *    $ openssl dhparam -C -noout 1024
2371  *    $ openssl dhparam -C -noout -dsaparam 1024
2372  * (The third function has been renamed to avoid name conflicts.)
2373  */
2374 static DH *get_dh512()
2375         {
2376         static unsigned char dh512_p[]={
2377                 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2378                 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2379                 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2380                 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2381                 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2382                 0x02,0xC5,0xAE,0x23,
2383                 };
2384         static unsigned char dh512_g[]={
2385                 0x02,
2386                 };
2387         DH *dh;
2388
2389         if ((dh=DH_new()) == NULL) return(NULL);
2390         dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2391         dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2392         if ((dh->p == NULL) || (dh->g == NULL))
2393                 { DH_free(dh); return(NULL); }
2394         return(dh);
2395         }
2396
2397 static DH *get_dh1024()
2398         {
2399         static unsigned char dh1024_p[]={
2400                 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2401                 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2402                 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2403                 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2404                 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2405                 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2406                 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2407                 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2408                 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2409                 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2410                 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2411                 };
2412         static unsigned char dh1024_g[]={
2413                 0x02,
2414                 };
2415         DH *dh;
2416
2417         if ((dh=DH_new()) == NULL) return(NULL);
2418         dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2419         dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2420         if ((dh->p == NULL) || (dh->g == NULL))
2421                 { DH_free(dh); return(NULL); }
2422         return(dh);
2423         }
2424
2425 static DH *get_dh1024dsa()
2426         {
2427         static unsigned char dh1024_p[]={
2428                 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2429                 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2430                 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2431                 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2432                 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2433                 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2434                 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2435                 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2436                 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2437                 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2438                 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2439                 };
2440         static unsigned char dh1024_g[]={
2441                 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2442                 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2443                 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2444                 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2445                 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2446                 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2447                 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2448                 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2449                 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2450                 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2451                 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2452                 };
2453         DH *dh;
2454
2455         if ((dh=DH_new()) == NULL) return(NULL);
2456         dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2457         dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2458         if ((dh->p == NULL) || (dh->g == NULL))
2459                 { DH_free(dh); return(NULL); }
2460         dh->length = 160;
2461         return(dh);
2462         }
2463 #endif
2464
2465 #ifndef OPENSSL_NO_PSK
2466 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2467 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2468         unsigned int max_psk_len)
2469         {
2470         int ret;
2471         BIGNUM *bn = NULL;
2472
2473         ret = BN_hex2bn(&bn, pskkey);
2474         if (!ret)
2475                 {
2476                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey); 
2477                 if (bn)
2478                         BN_free(bn);
2479                 return 0;
2480                 }
2481         if (BN_num_bytes(bn) > (int)max_psk_len)
2482                 {
2483                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2484                         max_psk_len, BN_num_bytes(bn));
2485                 BN_free(bn);
2486                 return 0;
2487                 }
2488         ret = BN_bn2bin(bn, psk);
2489         BN_free(bn);
2490         return ret;
2491         }
2492
2493 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2494         unsigned int max_identity_len, unsigned char *psk,
2495         unsigned int max_psk_len)
2496         {
2497         int ret;
2498         unsigned int psk_len = 0;
2499
2500         ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2501         if (ret < 0)
2502                 goto out_err;
2503         if (debug)
2504                 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2505         ret = psk_key2bn(psk_key, psk, max_psk_len);
2506         if (ret < 0)
2507                 goto out_err;
2508         psk_len = ret;
2509 out_err:
2510         return psk_len;
2511         }
2512
2513 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2514         unsigned char *psk, unsigned int max_psk_len)
2515         {
2516         unsigned int psk_len=0;
2517
2518         if (strcmp(identity, "Client_identity") != 0)
2519                 {
2520                 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2521                 return 0;
2522                 }
2523         psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2524         return psk_len;
2525         }
2526 #endif
2527
2528 static int do_test_cipherlist(void)
2529         {
2530         int i = 0;
2531         const SSL_METHOD *meth;
2532         const SSL_CIPHER *ci, *tci = NULL;
2533
2534 #ifndef OPENSSL_NO_SSL2
2535         fprintf(stderr, "testing SSLv2 cipher list order: ");
2536         meth = SSLv2_method();
2537         while ((ci = meth->get_cipher(i++)) != NULL)
2538                 {
2539                 if (tci != NULL)
2540                         if (ci->id >= tci->id)
2541                                 {
2542                                 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2543                                 return 0;
2544                                 }
2545                 tci = ci;
2546                 }
2547         fprintf(stderr, "ok\n");
2548 #endif
2549 #ifndef OPENSSL_NO_SSL3
2550         fprintf(stderr, "testing SSLv3 cipher list order: ");
2551         meth = SSLv3_method();
2552         tci = NULL;
2553         while ((ci = meth->get_cipher(i++)) != NULL)
2554                 {
2555                 if (tci != NULL)
2556                         if (ci->id >= tci->id)
2557                                 {
2558                                 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2559                                 return 0;
2560                                 }
2561                 tci = ci;
2562                 }
2563         fprintf(stderr, "ok\n");
2564 #endif
2565 #ifndef OPENSSL_NO_TLS1
2566         fprintf(stderr, "testing TLSv1 cipher list order: ");
2567         meth = TLSv1_method();
2568         tci = NULL;
2569         while ((ci = meth->get_cipher(i++)) != NULL)
2570                 {
2571                 if (tci != NULL)
2572                         if (ci->id >= tci->id)
2573                                 {
2574                                 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2575                                 return 0;
2576                                 }
2577                 tci = ci;
2578                 }
2579         fprintf(stderr, "ok\n");
2580 #endif
2581
2582         return 1;
2583         }