#include <stdlib.h>
#include <string.h>
#include <time.h>
-#include <ctype.h>
#define USE_SOCKETS
#include "e_os.h"
+#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
+ VMS (at least with DECompHP C). */
+#include <ctype.h>
+
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#endif
#include <openssl/err.h>
#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
+#endif
#include <openssl/bn.h>
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
{
char *string;
int app_verify;
+ int allow_proxy_certs;
char *proxy_auth;
char *proxy_cond;
};
int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
+static int do_test_cipherlist(void);
static void sv_usage(void)
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
+ fprintf(stderr," -proxy - allow proxy certificates\n");
fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
fprintf(stderr," -v - more output\n");
" Use \"openssl ecparam -list_curves\" for all names\n" \
" (default is sect163r2).\n");
#endif
+ fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
}
}
+
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
int client_auth=0;
int server_auth=0,i;
struct app_verify_arg app_verify_arg =
- { APP_CALLBACK_STRING, 0, NULL, NULL };
+ { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
char *server_cert=TEST_SERVER_CERT;
char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT;
char *client_key=NULL;
+#ifndef OPENSSL_NO_ECDH
char *named_curve = NULL;
+#endif
SSL_CTX *s_ctx=NULL;
SSL_CTX *c_ctx=NULL;
- SSL_METHOD *meth=NULL;
+ const SSL_METHOD *meth=NULL;
SSL *c_ssl,*s_ssl;
int number=1,reuse=0;
long bytes=256L;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
int comp = 0;
+#ifndef OPENSSL_NO_COMP
COMP_METHOD *cm = NULL;
+#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+ int test_cipherlist = 0;
verbose = 0;
debug = 0;
{
app_verify_arg.app_verify = 1;
}
+ else if (strcmp(*argv,"-proxy") == 0)
+ {
+ app_verify_arg.allow_proxy_certs = 1;
+ }
+ else if (strcmp(*argv,"-test_cipherlist") == 0)
+ {
+ test_cipherlist = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
goto end;
}
+ if (test_cipherlist == 1)
+ {
+ /* ensure that the cipher list are correctly sorted and exit */
+ if (do_test_cipherlist() == 0)
+ EXIT(1);
+ ret = 0;
+ goto end;
+ }
+
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
fprintf(stderr, "This case cannot work. Use -f to perform "
SSL_library_init();
SSL_load_error_strings();
+#ifndef OPENSSL_NO_COMP
if (comp == COMP_ZLIB) cm = COMP_zlib();
if (comp == COMP_RLE) cm = COMP_rle();
if (cm != NULL)
fprintf(stderr, " %d: %s\n", c->id, c->name);
}
}
+#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
if (ssl2)
#ifndef OPENSSL_NO_ECDH
if (!no_ecdhe)
{
- ecdh = EC_KEY_new();
- if (ecdh != NULL)
- {
- if (named_curve)
- {
- int nid = OBJ_sn2nid(named_curve);
+ int nid;
- if (nid == 0)
- {
- BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
- EC_KEY_free(ecdh);
- goto end;
- }
-
- ecdh->group = EC_GROUP_new_by_nid(nid);
- if (ecdh->group == NULL)
- {
- BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
- EC_KEY_free(ecdh);
- goto end;
- }
+ if (named_curve != NULL)
+ {
+ nid = OBJ_sn2nid(named_curve);
+ if (nid == 0)
+ {
+ BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
+ goto end;
}
-
- if (ecdh->group == NULL)
- ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2);
+ }
+ else
+ nid = NID_sect163r2;
- SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
- SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
- EC_KEY_free(ecdh);
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (ecdh == NULL)
+ {
+ BIO_printf(bio_err, "unable to create curve\n");
+ goto end;
}
+
+ SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
+ EC_KEY_free(ecdh);
}
#else
(void)no_ecdhe;
CRYPTO_mem_leaks(bio_err);
if (bio_err != NULL) BIO_free(bio_err);
EXIT(ret);
+ return ret;
}
int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
fprintf(stderr,"depth=%d %s\n",
ctx->error_depth,buf);
else
+ {
fprintf(stderr,"depth=%d error=%d %s\n",
ctx->error_depth,ctx->error,buf);
+ }
}
if (ok == 0)
{
+ fprintf(stderr,"Error string: %s\n",
+ X509_verify_cert_error_string(ctx->error));
switch (ctx->error)
{
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ fprintf(stderr," ... ignored.\n");
ok=1;
}
}
fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
while(i-- > 0)
{
- char c = *s++;
+ int c = *s++;
if (isascii(c) && isalpha(c))
{
if (islower(c))
static int process_proxy_cond_val(unsigned int letters[26],
const char *cond, const char **cond_end, int *pos, int indent)
{
- char c;
+ int c;
int ok = 1;
int negate = 0;
- while(isspace(*cond))
+ while(isspace((int)*cond))
{
cond++; (*pos)++;
}
{
negate = !negate;
cond++; (*pos)++;
- while(isspace(*cond))
+ while(isspace((int)*cond))
{
cond++; (*pos)++;
}
cond = *cond_end;
if (ok < 0)
goto end;
- while(isspace(*cond))
+ while(isspace((int)*cond))
{
cond++; (*pos)++;
}
while(ok >= 0)
{
- while(isspace(*cond))
+ while(isspace((int)*cond))
{
cond++; (*pos)++;
}
while(ok >= 0)
{
- while(isspace(*cond))
+ while(isspace((int)*cond))
{
cond++; (*pos)++;
}
fprintf(stderr, "In app_verify_callback, allowing cert. ");
fprintf(stderr, "Arg is: %s\n", cb_arg->string);
- fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
- (unsigned int)ctx, (unsigned int)ctx->cert);
+ fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
+ (void *)ctx, (void *)ctx->cert);
if (ctx->cert)
s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
if (s != NULL)
letters[i] = 0;
for(sp = cb_arg->proxy_auth; *sp; sp++)
{
- char c = *sp;
+ int c = *sp;
if (isascii(c) && isalpha(c))
{
if (islower(c))
X509_STORE_CTX_set_ex_data(ctx,
get_proxy_auth_ex_data_idx(),letters);
}
+ if (cb_arg->allow_proxy_certs)
+ {
+ X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+ }
#ifndef OPENSSL_NO_X509_VERIFY
# ifdef OPENSSL_FIPS
return(dh);
}
#endif
+
+static int do_test_cipherlist(void)
+ {
+ int i = 0;
+ const SSL_METHOD *meth;
+ SSL_CIPHER *ci, *tci = NULL;
+
+#ifndef OPENSSL_NO_SSL2
+ fprintf(stderr, "testing SSLv2 cipher list order: ");
+ meth = SSLv2_method();
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, "ok\n");
+#endif
+#ifndef OPENSSL_NO_SSL3
+ fprintf(stderr, "testing SSLv3 cipher list order: ");
+ meth = SSLv3_method();
+ tci = NULL;
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, "ok\n");
+#endif
+#ifndef OPENSSL_NO_TLS1
+ fprintf(stderr, "testing TLSv1 cipher list order: ");
+ meth = TLSv1_method();
+ tci = NULL;
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, "ok\n");
+#endif
+
+ return 1;
+ }
projects / openssl.git / blobdiff