static const char *alpn_expected;
static unsigned char *alpn_selected;
-/* next_protos_parse parses a comma separated list of strings into a string
+/*-
+ * next_protos_parse parses a comma separated list of strings into a string
* in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
* outlen: (output) set to the length of the resulting buffer on success.
* err: (maybe NULL) on failure, an error message line is written to this BIO.
- * in: a NUL termianted string like "abc,def,ghi"
+ * in: a NUL terminated string like "abc,def,ghi"
*
* returns: a malloced buffer or NULL on failure.
*/
/* This set based on extension callbacks */
int custom_ext_error = 0;
-static int serverinfo_cli_cb(SSL* s, unsigned int ext_type,
- const unsigned char* in, size_t inlen,
- int* al, void* arg)
+static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in, size_t inlen,
+ int *al, void *arg)
{
if (ext_type == SCT_EXT_TYPE)
serverinfo_sct_seen++;
return 0;
}
-/* Four test cases for custom extensions:
+/*-
+ * Four test cases for custom extensions:
* 0 - no ClientHello extension or ServerHello response
* 1 - ClientHello with "abc", no response
* 2 - ClientHello with "abc", empty response
{
if (ext_type != CUSTOM_EXT_TYPE_0)
custom_ext_error = 1;
- return -1; /* Don't send an extension */
+ return 0; /* Don't send an extension */
}
static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
return 1;
}
-/* custom_ext_0_cli_parse_cb returns -1 - the server won't receive a callback for this extension */
+/* custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback for this extension */
static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char *in,
size_t inlen, int *al,
void *arg)
{
+ custom_ext_error = 1;
return 1;
}
-/* 'generate' callbacks are always called, even if the 'receive' callback isn't called */
+/* 'add' callbacks are only called if the 'parse' callback is called */
static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
const unsigned char **out,
size_t *outlen, int *al, void *arg)
{
- return -1; /* Don't send an extension */
+ /* Error: should not have been called */
+ custom_ext_error = 1;
+ return 0; /* Don't send an extension */
}
static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char **out,
size_t *outlen, int *al, void *arg)
{
- return -1; /* Don't send an extension */
+ return 0; /* Don't send an extension */
}
static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
- fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
+ fprintf(stderr," -proxy_cond <val> - expression to test proxy policy rights\n");
fprintf(stderr," -v - more output\n");
fprintf(stderr," -d - debug output\n");
fprintf(stderr," -reuse - use session-id reuse\n");
#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
fprintf(stderr," -ssl3 - use SSLv3\n");
#endif
#ifndef OPENSSL_NO_TLS1
" Use \"openssl ecparam -list_curves\" for all names\n" \
" (default is sect163r2).\n");
#endif
- fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+ fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
+ " When this option is requested, the cipherlist\n"
+ " tests are run instead of handshake tests.\n");
fprintf(stderr," -serverinfo_file file - have server use this file\n");
fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
#ifdef OPENSSL_FIPS
int fips_mode=0;
#endif
+ int no_protocol = 0;
verbose = 0;
debug = 0;
#ifdef OPENSSL_FIPS
fips_mode=1;
#else
- fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ fprintf(stderr,"not compiled with FIPS support, so exiting without running.\n");
EXIT(0);
#endif
}
}
#endif
else if (strcmp(*argv,"-ssl2") == 0)
- ssl2=1;
+ {
+#ifdef OPENSSL_NO_SSL2
+ no_protocol = 1;
+#endif
+ ssl2 = 1;
+ }
else if (strcmp(*argv,"-tls1") == 0)
- tls1=1;
+ {
+#ifdef OPENSSL_NO_TLS1
+ no_protocol = 1;
+#endif
+ tls1 = 1;
+ }
else if (strcmp(*argv,"-ssl3") == 0)
- ssl3=1;
+ {
+#ifdef OPENSSL_NO_SSL3_METHOD
+ no_protocol = 1;
+#endif
+ ssl3 = 1;
+ }
else if (strncmp(*argv,"-num",4) == 0)
{
if (--argc < 1) goto bad;
goto end;
}
+ /*
+ * test_cipherlist prevails over protocol switch: we test the cipherlist
+ * for all enabled protocols.
+ */
if (test_cipherlist == 1)
{
/* ensure that the cipher list are correctly sorted and exit */
+ fprintf(stdout, "Testing cipherlist order only. Ignoring all "
+ "other options.\n");
if (do_test_cipherlist() == 0)
EXIT(1);
ret = 0;
goto end;
}
+ if (ssl2 + ssl3 + tls1 > 1)
+ {
+ fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should "
+ "be requested.\n");
+ EXIT(1);
+ }
+
+ /*
+ * Testing was requested for a compiled-out protocol (e.g. SSLv2).
+ * Ideally, we would error out, but the generic test wrapper can't know
+ * when to expect failure. So we do nothing and return success.
+ */
+ if (no_protocol)
+ {
+ fprintf(stderr, "Testing was requested for a disabled protocol. "
+ "Skipping tests.\n");
+ ret = 0;
+ goto end;
+ }
+
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
fprintf(stderr, "This case cannot work. Use -f to perform "
}
#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+/* At this point, ssl2/ssl3/tls1 is only set if the protocol is available.
+ * (Otherwise we exit early.)
+ * However the compiler doesn't know this, so we ifdef. */
+#ifndef OPENSSL_NO_SSL2
if (ssl2)
meth=SSLv2_method();
- else
- if (tls1)
- meth=TLSv1_method();
else
+#endif
+#ifndef OPENSSL_NO_SSL3
if (ssl3)
meth=SSLv3_method();
else
- meth=SSLv23_method();
-#else
-#ifdef OPENSSL_NO_SSL2
+#endif
+#ifndef OPENSSL_NO_TLS1
if (tls1)
meth=TLSv1_method();
else
- if (ssl3)
- meth=SSLv3_method();
- else
- meth=SSLv23_method();
-#else
- meth=SSLv2_method();
-#endif
#endif
+ meth=SSLv23_method();
c_ctx=SSL_CTX_new(meth);
s_ctx=SSL_CTX_new(meth);
#endif
if (serverinfo_sct)
- SSL_CTX_set_custom_cli_ext(c_ctx, SCT_EXT_TYPE, NULL,
- serverinfo_cli_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb, NULL);
if (serverinfo_tack)
- SSL_CTX_set_custom_cli_ext(c_ctx, TACK_EXT_TYPE, NULL,
- serverinfo_cli_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb, NULL);
if (serverinfo_file)
if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file))
if (custom_ext)
{
- SSL_CTX_set_custom_cli_ext(c_ctx, CUSTOM_EXT_TYPE_0,
- custom_ext_0_cli_add_cb,
- custom_ext_0_cli_parse_cb, NULL);
- SSL_CTX_set_custom_cli_ext(c_ctx, CUSTOM_EXT_TYPE_1,
- custom_ext_1_cli_add_cb,
- custom_ext_1_cli_parse_cb, NULL);
- SSL_CTX_set_custom_cli_ext(c_ctx, CUSTOM_EXT_TYPE_2,
- custom_ext_2_cli_add_cb,
- custom_ext_2_cli_parse_cb, NULL);
- SSL_CTX_set_custom_cli_ext(c_ctx, CUSTOM_EXT_TYPE_3,
- custom_ext_3_cli_add_cb,
- custom_ext_3_cli_parse_cb, NULL);
-
-
- SSL_CTX_set_custom_srv_ext(s_ctx, CUSTOM_EXT_TYPE_0,
- custom_ext_0_srv_parse_cb,
- custom_ext_0_srv_add_cb, NULL);
- SSL_CTX_set_custom_srv_ext(s_ctx, CUSTOM_EXT_TYPE_1,
- custom_ext_1_srv_parse_cb,
- custom_ext_1_srv_add_cb, NULL);
- SSL_CTX_set_custom_srv_ext(s_ctx, CUSTOM_EXT_TYPE_2,
- custom_ext_2_srv_parse_cb,
- custom_ext_2_srv_add_cb, NULL);
- SSL_CTX_set_custom_srv_ext(s_ctx, CUSTOM_EXT_TYPE_3,
- custom_ext_3_srv_parse_cb,
- custom_ext_3_srv_add_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
+ custom_ext_0_cli_add_cb,
+ NULL, NULL,
+ custom_ext_0_cli_parse_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_1_cli_add_cb,
+ NULL, NULL,
+ custom_ext_1_cli_parse_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_2_cli_add_cb,
+ NULL, NULL,
+ custom_ext_2_cli_parse_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_3_cli_add_cb,
+ NULL, NULL,
+ custom_ext_3_cli_parse_cb, NULL);
+
+
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
+ custom_ext_0_srv_add_cb,
+ NULL, NULL,
+ custom_ext_0_srv_parse_cb, NULL);
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_1_srv_add_cb,
+ NULL, NULL,
+ custom_ext_1_srv_parse_cb, NULL);
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_2_srv_add_cb,
+ NULL, NULL,
+ custom_ext_2_srv_parse_cb, NULL);
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_3_srv_add_cb,
+ NULL, NULL,
+ custom_ext_3_srv_parse_cb, NULL);
}
if (alpn_server)
do
{
- /* c_ssl_bio: SSL filter BIO
+ /*-
+ * c_ssl_bio: SSL filter BIO
*
* client: pseudo-I/O for SSL library
*
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
-/* else if (s_write)
+/*-
+ else if (s_write)
printf("server:SSL_write()\n");
else
printf("server:SSL_read()\n"); */
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
-/* else if (c_write)
+/*-
+ else if (c_write)
printf("client:SSL_write()\n");
else
printf("client:SSL_read()\n"); */
static void process_proxy_debug(int indent, const char *format, ...)
{
+ /* That's 80 > */
static const char indentation[] =
">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
- ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
+ ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>";
char my_format[256];
va_list args;
vfprintf(stderr, my_format, args);
va_end(args);
}
-/* Priority levels:
- 0 [!]var, ()
- 1 & ^
- 2 |
-*/
+/*-
+ * Priority levels:
+ * 0 [!]var, ()
+ * 1 & ^
+ * 2 |
+ */
static int process_proxy_cond_adders(unsigned int letters[26],
const char *cond, const char **cond_end, int *pos, int indent);
static int process_proxy_cond_val(unsigned int letters[26],
#endif
#ifndef OPENSSL_NO_DH
-/* These DH parameters have been generated as follows:
+/*-
+ * These DH parameters have been generated as follows:
* $ openssl dhparam -C -noout 512
* $ openssl dhparam -C -noout 1024
* $ openssl dhparam -C -noout -dsaparam 1024