diff options
Diffstat (limited to 'lib/libssl/src/ssl/ssltest.c')
| -rw-r--r-- | lib/libssl/src/ssl/ssltest.c | 510 |
1 files changed, 461 insertions, 49 deletions
diff --git a/lib/libssl/src/ssl/ssltest.c b/lib/libssl/src/ssl/ssltest.c index f9dca4e3ef7..90570f4bee7 100644 --- a/lib/libssl/src/ssl/ssltest.c +++ b/lib/libssl/src/ssl/ssltest.c @@ -60,51 +60,55 @@ #include <stdlib.h> #include <string.h> #include <errno.h> -#include "e_os.h" -#include "bio.h" -#include "crypto.h" -#include "x509.h" -#include "ssl.h" -#include "err.h" +#include <limits.h> + +#include "openssl/e_os.h" + +#include <openssl/bio.h> +#include <openssl/crypto.h> +#include <openssl/x509.h> +#include <openssl/ssl.h> +#include <openssl/err.h> #ifdef WINDOWS #include "../crypto/bio/bss_file.c" #endif -#define TEST_SERVER_CERT "../apps/server.pem" -#define TEST_CLIENT_CERT "../apps/client.pem" - -#ifndef NOPROTO -int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); -static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export); -#ifndef NO_DSA -static DH *get_dh512(void); +#if defined(NO_RSA) && !defined(NO_SSL2) +#define NO_SSL2 #endif + +#ifdef VMS +# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" +# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" #else -int MS_CALLBACK verify_callback(); -static RSA MS_CALLBACK *tmp_rsa_cb(); -#ifndef NO_DSA -static DH *get_dh512(); -#endif +# define TEST_SERVER_CERT "../apps/server.pem" +# define TEST_CLIENT_CERT "../apps/client.pem" #endif +int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); +#ifndef NO_RSA +static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); +#endif +#ifndef NO_DH +static DH *get_dh512(void); +#endif BIO *bio_err=NULL; BIO *bio_stdout=NULL; static char *cipher=NULL; int verbose=0; int debug=0; +#if 0 +/* Not used yet. */ #ifdef FIONBIO static int s_nbio=0; #endif +#endif -#ifndef NOPROTO +int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes); int doit(SSL *s_ssl,SSL *c_ssl,long bytes); -#else -int doit(); -#endif - -static void sv_usage() +static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); @@ -115,6 +119,9 @@ static void sv_usage() fprintf(stderr," -reuse - use session-id reuse\n"); fprintf(stderr," -num <val> - number of connections to perform\n"); fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n"); +#if !defined NO_DH && !defined NO_DSA + fprintf(stderr," -dhe1024 - generate 1024 bit key for DHE\n"); +#endif #ifndef NO_SSL2 fprintf(stderr," -ssl2 - use SSLv2\n"); #endif @@ -130,14 +137,16 @@ static void sv_usage() fprintf(stderr," -s_cert arg - Just the server certificate file\n"); fprintf(stderr," -c_cert arg - Just the client certificate file\n"); fprintf(stderr," -cipher arg - The cipher list\n"); + fprintf(stderr," -bio_pair - Use BIO pairs\n"); + fprintf(stderr," -f - Test even cases that can't work\n"); } -int main(argc, argv) -int argc; -char *argv[]; +int main(int argc, char *argv[]) { char *CApath=NULL,*CAfile=NULL; int badop=0; + int bio_pair=0; + int force=0; int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; @@ -150,6 +159,7 @@ char *argv[]; int number=1,reuse=0; long bytes=1L; SSL_CIPHER *ciph; + int dhe1024 = 0; #ifndef NO_DH DH *dh; #endif @@ -174,6 +184,8 @@ char *argv[]; debug=1; else if (strcmp(*argv,"-reuse") == 0) reuse=1; + else if (strcmp(*argv,"-dhe1024") == 0) + dhe1024=1; else if (strcmp(*argv,"-ssl2") == 0) ssl2=1; else if (strcmp(*argv,"-tls1") == 0) @@ -225,6 +237,14 @@ char *argv[]; if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-bio_pair") == 0) + { + bio_pair = 1; + } + else if (strcmp(*argv,"-f") == 0) + { + force = 1; + } else { fprintf(stderr,"unknown option %s\n",*argv); @@ -241,9 +261,20 @@ bad: goto end; } + if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) + { + fprintf(stderr, "This case cannot work. Use -f switch to perform " + "the test anyway\n" + "(and -d to see what happens, " + "and -bio_pair to really make it happen :-)\n" + "or add one of -ssl2, -ssl3, -tls1, -reuse to " + "avoid protocol mismatch.\n"); + exit(1); + } + /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - SSLeay_add_ssl_algorithms(); + SSL_library_init(); SSL_load_error_strings(); #if !defined(NO_SSL2) && !defined(NO_SSL3) @@ -280,7 +311,29 @@ bad: } #ifndef NO_DH - dh=get_dh512(); +# ifndef NO_DSA + if (dhe1024) + { + DSA *dsa; + + if (verbose) + { + fprintf(stdout, "Creating 1024 bit DHE parameters ..."); + fflush(stdout); + } + + dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL); + dh = DSA_dup_DH(dsa); + DSA_free(dsa); + /* important: SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ + SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); + + if (verbose) + fprintf(stdout, " done\n"); + } + else +# endif + dh=get_dh512(); SSL_CTX_set_tmp_dh(s_ctx,dh); DH_free(dh); #endif @@ -338,7 +391,10 @@ bad: for (i=0; i<number; i++) { if (!reuse) SSL_set_session(c_ssl,NULL); - ret=doit(s_ssl,c_ssl,bytes); + if (bio_pair) + ret=doit_biopair(s_ssl,c_ssl,bytes); + else + ret=doit(s_ssl,c_ssl,bytes); } if (!verbose) @@ -361,20 +417,382 @@ end: if (bio_stdout != NULL) BIO_free(bio_stdout); + ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); CRYPTO_mem_leaks(bio_err); EXIT(ret); } +int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count) + { + long cw_num = count, cr_num = count, sw_num = count, sr_num = count; + BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; + BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; + SSL_CIPHER *ciph; + int ret = 1; + + size_t bufsiz = 256; /* small buffer for testing */ + + if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) + goto err; + if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) + goto err; + + s_ssl_bio = BIO_new(BIO_f_ssl()); + if (!s_ssl_bio) + goto err; + + c_ssl_bio = BIO_new(BIO_f_ssl()); + if (!c_ssl_bio) + goto err; + + SSL_set_connect_state(c_ssl); + SSL_set_bio(c_ssl, client, client); + (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); + + SSL_set_accept_state(s_ssl); + SSL_set_bio(s_ssl, server, server); + (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); + + do + { + /* c_ssl_bio: SSL filter BIO + * + * client: pseudo-I/O for SSL library + * + * client_io: client's SSL communication; usually to be + * relayed over some I/O facility, but in this + * test program, we're the server, too: + * + * server_io: server's SSL communication + * + * server: pseudo-I/O for SSL library + * + * s_ssl_bio: SSL filter BIO + * + * The client and the server each employ a "BIO pair": + * client + client_io, server + server_io. + * BIO pairs are symmetric. A BIO pair behaves similar + * to a non-blocking socketpair (but both endpoints must + * be handled by the same thread). + * [Here we could connect client and server to the ends + * of a single BIO pair, but then this code would be less + * suitable as an example for BIO pairs in general.] + * + * Useful functions for querying the state of BIO pair endpoints: + * + * BIO_ctrl_pending(bio) number of bytes we can read now + * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil + * other side's read attempt + * BIO_ctrl_get_write_gurantee(bio) number of bytes we can write now + * + * ..._read_request is never more than ..._write_guarantee; + * it depends on the application which one you should use. + */ + + /* We have non-blocking behaviour throughout this test program, but + * can be sure that there is *some* progress in each iteration; so + * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE + * -- we just try everything in each iteration + */ + + { + /* CLIENT */ + + MS_STATIC char cbuf[1024*8]; + int i, r; + + if (debug) + if (SSL_in_init(c_ssl)) + printf("client waiting in SSL_connect - %s\n", + SSL_state_string_long(c_ssl)); + + if (cw_num > 0) + { + /* Write to server. */ + + if (cw_num > (long)sizeof cbuf) + i = sizeof cbuf; + else + i = (int)cw_num; + r = BIO_write(c_ssl_bio, cbuf, i); + if (r == -1) + { + if (!BIO_should_retry(c_ssl_bio)) + { + fprintf(stderr,"ERROR in CLIENT\n"); + goto err; + } + /* BIO_should_retry(...) can just be ignored here. + * The library expects us to call BIO_write with + * the same arguments again, and that's what we will + * do in the next iteration. */ + } + else if (r == 0) + { + fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); + goto err; + } + else + { + if (debug) + printf("client wrote %d\n", r); + cw_num -= r; + } + } + + if (cr_num > 0) + { + /* Read from server. */ + + r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); + if (r < 0) + { + if (!BIO_should_retry(c_ssl_bio)) + { + fprintf(stderr,"ERROR in CLIENT\n"); + goto err; + } + /* Again, "BIO_should_retry" can be ignored. */ + } + else if (r == 0) + { + fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); + goto err; + } + else + { + if (debug) + printf("client read %d\n", r); + cr_num -= r; + } + } + } + + { + /* SERVER */ + + MS_STATIC char sbuf[1024*8]; + int i, r; + + if (debug) + if (SSL_in_init(s_ssl)) + printf("server waiting in SSL_accept - %s\n", + SSL_state_string_long(s_ssl)); + + if (sw_num > 0) + { + /* Write to client. */ + + if (sw_num > (long)sizeof sbuf) + i = sizeof sbuf; + else + i = (int)sw_num; + r = BIO_write(s_ssl_bio, sbuf, i); + if (r == -1) + { + if (!BIO_should_retry(s_ssl_bio)) + { + fprintf(stderr,"ERROR in SERVER\n"); + goto err; + } + /* Ignore "BIO_should_retry". */ + } + else if (r == 0) + { + fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); + goto err; + } + else + { + if (debug) + printf("server wrote %d\n", r); + sw_num -= r; + } + } + + if (sr_num > 0) + { + /* Read from client. */ + + r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); + if (r < 0) + { + if (!BIO_should_retry(s_ssl_bio)) + { + fprintf(stderr,"ERROR in SERVER\n"); + goto err; + } + /* blah, blah */ + } + else if (r == 0) + { + fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); + goto err; + } + else + { + if (debug) + printf("server read %d\n", r); + sr_num -= r; + } + } + } + + { + /* "I/O" BETWEEN CLIENT AND SERVER. */ + +#define RELAYBUFSIZ 200 + static char buf[RELAYBUFSIZ]; + + /* RELAYBUF is arbitrary. When writing data over some real + * network, use a buffer of the same size as in the BIO_pipe + * and make that size large (for reading from the network + * small buffers usually won't hurt). + * Here sizes differ for testing. */ + + size_t r1, r2; + size_t num; + int r; + static int prev_progress = 1; + int progress = 0; + + /* client to server */ + do + { + r1 = BIO_ctrl_pending(client_io); + r2 = BIO_ctrl_get_write_guarantee(server_io); + + num = r1; + if (r2 < num) + num = r2; + if (num) + { + if (sizeof buf < num) + num = sizeof buf; + if (INT_MAX < num) /* yeah, right */ + num = INT_MAX; + + r = BIO_read(client_io, buf, (int)num); + if (r != (int)num) /* can't happen */ + { + fprintf(stderr, "ERROR: BIO_read could not read " + "BIO_ctrl_pending() bytes"); + goto err; + } + r = BIO_write(server_io, buf, (int)num); + if (r != (int)num) /* can't happen */ + { + fprintf(stderr, "ERROR: BIO_write could not write " + "BIO_ctrl_get_write_guarantee() bytes"); + goto err; + } + progress = 1; + + if (debug) + printf("C->S relaying: %d bytes\n", (int)num); + } + } + while (r1 && r2); + + /* server to client */ + do + { + r1 = BIO_ctrl_pending(server_io); + r2 = BIO_ctrl_get_write_guarantee(client_io); + + num = r1; + if (r2 < num) + num = r2; + if (num) + { + if (sizeof buf < num) + num = sizeof buf; + if (INT_MAX < num) + num = INT_MAX; + + r = BIO_read(server_io, buf, (int)num); + if (r != (int)num) /* can't happen */ + { + fprintf(stderr, "ERROR: BIO_read could not read " + "BIO_ctrl_pending() bytes"); + goto err; + } + r = BIO_write(client_io, buf, (int)num); + if (r != (int)num) /* can't happen */ + { + fprintf(stderr, "ERROR: BIO_write could not write " + "BIO_ctrl_get_write_guarantee() bytes"); + goto err; + } + progress = 1; + + if (debug) + printf("S->C relaying: %d bytes\n", (int)num); + } + } + while (r1 && r2); + + if (!progress && !prev_progress) + if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) + { + fprintf(stderr, "ERROR: got stuck\n"); + if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) + { + fprintf(stderr, "This can happen for SSL2 because " + "CLIENT-FINISHED and SERVER-VERIFY are written \n" + "concurrently ..."); + if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 + && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) + { + fprintf(stderr, " ok.\n"); + goto end; + } + } + fprintf(stderr, " ERROR.\n"); + goto err; + } + prev_progress = progress; + } + } + while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); + + ciph = SSL_get_current_cipher(c_ssl); + if (verbose) + fprintf(stdout,"DONE via BIO pair, protocol %s, cipher %s, %s\n", + SSL_get_version(c_ssl), + SSL_CIPHER_get_version(ciph), + SSL_CIPHER_get_name(ciph)); + end: + ret = 0; + + err: + ERR_print_errors(bio_err); + + if (server) + BIO_free(server); + if (server_io) + BIO_free(server_io); + if (client) + BIO_free(client); + if (client_io) + BIO_free(client_io); + if (s_ssl_bio) + BIO_free(s_ssl_bio); + if (c_ssl_bio) + BIO_free(c_ssl_bio); + + return ret; + } + + #define W_READ 1 #define W_WRITE 2 #define C_DONE 1 #define S_DONE 2 -int doit(s_ssl,c_ssl,count) -SSL *s_ssl,*c_ssl; -long count; +int doit(SSL *s_ssl, SSL *c_ssl, long count) { MS_STATIC char cbuf[1024*8],sbuf[1024*8]; long cw_num=count,cr_num=count; @@ -673,9 +1091,7 @@ err: return(ret); } -int MS_CALLBACK verify_callback(ok, ctx) -int ok; -X509_STORE_CTX *ctx; +int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char *s,buf[256]; @@ -716,7 +1132,7 @@ static unsigned char dh512_g[]={ 0x02, }; -static DH *get_dh512() +static DH *get_dh512(void) { DH *dh=NULL; @@ -729,23 +1145,19 @@ static DH *get_dh512() } #endif -static RSA MS_CALLBACK *tmp_rsa_cb(s,export) -SSL *s; -int export; +#ifndef NO_RSA +static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) { static RSA *rsa_tmp=NULL; if (rsa_tmp == NULL) { - BIO_printf(bio_err,"Generating temp (512 bit) RSA key..."); - BIO_flush(bio_err); -#ifndef NO_RSA - rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL); -#endif + BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); + (void)BIO_flush(bio_err); + rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); BIO_printf(bio_err,"\n"); - BIO_flush(bio_err); + (void)BIO_flush(bio_err); } return(rsa_tmp); } - - +#endif |