/* Or gethostname won't be declared properly on Linux and GNU platforms. */
#define _BSD_SOURCE 1
+#define _DEFAULT_SOURCE 1
#include <assert.h>
#include <errno.h>
# include OPENSSL_UNISTD
#endif
-#ifdef OPENSSL_SYS_VMS
-# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
-# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
-#elif defined(OPENSSL_SYS_WINCE)
-# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
-# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
-#elif defined(OPENSSL_SYS_NETWARE)
-# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
-# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
-#else
-# define TEST_SERVER_CERT "../apps/server.pem"
-# define TEST_CLIENT_CERT "../apps/client.pem"
-#endif
-
/*
- * There is really no standard for this, so let's assign some tentative
- * numbers. In any case, these numbers are only for this test
+ * There is really no standard for this, so let's assign something
+ * only for this test
*/
-#define COMP_RLE 255
#define COMP_ZLIB 1
static int verify_callback(int ok, X509_STORE_CTX *ctx);
-#ifndef OPENSSL_NO_RSA
-static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength);
-static void free_tmp_rsa(void);
-#endif
static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
#define APP_CALLBACK_STRING "Test Callback Argument"
struct app_verify_arg {
static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
{
SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
- return BUF_strdup((char *)srp_client_arg->srppassin);
+ return OPENSSL_strdup((char *)srp_client_arg->srppassin);
}
/* SRP server */
#ifndef OPENSSL_NO_NEXTPROTONEG
/* Note that this code assumes that this is only a one element list: */
static const char NEXT_PROTO_STRING[] = "\x09testproto";
-int npn_client = 0;
-int npn_server = 0;
-int npn_server_reject = 0;
+static int npn_client = 0;
+static int npn_server = 0;
+static int npn_server_reject = 0;
static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
static const char *alpn_server;
static const char *alpn_expected;
static unsigned char *alpn_selected;
+static const char *server_min_proto;
+static const char *server_max_proto;
+static const char *client_min_proto;
+static const char *client_max_proto;
+static const char *should_negotiate;
/*-
* next_protos_parse parses a comma separated list of strings into a string
SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
- if (alpn_selected != NULL) {
- OPENSSL_free(alpn_selected);
- alpn_selected = NULL;
+ OPENSSL_free(alpn_selected);
+ alpn_selected = NULL;
+
+ if (client_proto_len != server_proto_len) {
+ BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
+ goto err;
}
- if (client_proto_len != server_proto_len ||
+ if (client_proto != NULL &&
memcmp(client_proto, server_proto, client_proto_len) != 0) {
BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
goto err;
#define CUSTOM_EXT_TYPE_2 1002
#define CUSTOM_EXT_TYPE_3 1003
-const char custom_ext_cli_string[] = "abc";
-const char custom_ext_srv_string[] = "defg";
+static const char custom_ext_cli_string[] = "abc";
+static const char custom_ext_srv_string[] = "defg";
/* These set from cmdline */
-char *serverinfo_file = NULL;
-int serverinfo_sct = 0;
-int serverinfo_tack = 0;
+static char *serverinfo_file = NULL;
+static int serverinfo_sct = 0;
+static int serverinfo_tack = 0;
/* These set based on extension callbacks */
-int serverinfo_sct_seen = 0;
-int serverinfo_tack_seen = 0;
-int serverinfo_other_seen = 0;
+static int serverinfo_sct_seen = 0;
+static int serverinfo_tack_seen = 0;
+static int serverinfo_other_seen = 0;
/* This set from cmdline */
-int custom_ext = 0;
+static int custom_ext = 0;
/* This set based on extension callbacks */
-int custom_ext_error = 0;
+static int custom_ext_error = 0;
static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char *in, size_t inlen,
" -bytes <val> - number of bytes to swap between client/server\n");
#ifndef OPENSSL_NO_DH
fprintf(stderr,
- " -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
+ " -dhe512 - use 512 bit key for DHE (to test failure)\n");
+ fprintf(stderr,
+ " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
fprintf(stderr,
" -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
fprintf(stderr, " -no_dhe - disable DHE\n");
#endif
fprintf(stderr, " -tls1 - use TLSv1\n");
#ifndef OPENSSL_NO_DTLS
+ fprintf(stderr, " -dtls - use DTLS\n");
fprintf(stderr, " -dtls1 - use DTLSv1\n");
fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
#endif
fprintf(stderr,
" -time - measure processor time used by client and server\n");
fprintf(stderr, " -zlib - use zlib compression\n");
- fprintf(stderr, " -rle - use rle compression\n");
#ifndef OPENSSL_NO_EC
fprintf(stderr,
" -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n"
fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
fprintf(stderr,
" -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
+ fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
+ fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
+ fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
+ fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
+ fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
}
static void print_key_details(BIO *out, EVP_PKEY *key)
}
}
+/*
+ * protocol_from_string - converts a protocol version string to a number
+ *
+ * Returns -1 on failure or the version on success
+ */
+static int protocol_from_string(const char *value)
+{
+ struct protocol_versions {
+ const char *name;
+ int version;
+ };
+ static const struct protocol_versions versions[] = {
+ {"ssl3", SSL3_VERSION},
+ {"tls1", TLS1_VERSION},
+ {"tls1.1", TLS1_1_VERSION},
+ {"tls1.2", TLS1_2_VERSION},
+ {"dtls1", DTLS1_VERSION},
+ {"dtls1.2", DTLS1_2_VERSION}};
+ size_t i;
+ size_t n = OSSL_NELEM(versions);
+
+ for (i = 0; i < n; i++)
+ if (strcmp(versions[i].name, value) == 0)
+ return versions[i].version;
+ return -1;
+}
+
+/*
+ * set_protocol_version - Sets protocol version minimum or maximum
+ *
+ * Returns 0 on failure and 1 on success
+ */
+static int set_protocol_version(const char *version, SSL *ssl, int setting)
+{
+ if (version != NULL) {
+ int ver = protocol_from_string(version);
+ if (ver < 0) {
+ BIO_printf(bio_err, "Error parsing: %s\n", version);
+ return 0;
+ }
+ return SSL_ctrl(ssl, setting, ver, NULL);
+ }
+ return 1;
+}
+
int main(int argc, char *argv[])
{
char *CApath = NULL, *CAfile = NULL;
int badop = 0;
int bio_pair = 0;
int force = 0;
- int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl3 = 0, ret = 1;
+ int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
- char *server_cert = TEST_SERVER_CERT;
- char *server_key = NULL;
- char *client_cert = TEST_CLIENT_CERT;
- char *client_key = NULL;
#ifndef OPENSSL_NO_EC
char *named_curve = NULL;
#endif
long bytes = 256L;
#ifndef OPENSSL_NO_DH
DH *dh;
- int dhe1024 = 0, dhe1024dsa = 0;
+ int dhe512 = 0, dhe1024dsa = 0;
#endif
#ifndef OPENSSL_NO_EC
EC_KEY *ecdh = NULL;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
#ifndef OPENSSL_NO_COMP
- int comp = 0;
+ int n, comp = 0;
COMP_METHOD *cm = NULL;
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
#endif
SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
STACK_OF(OPENSSL_STRING) *conf_args = NULL;
- const char *arg = NULL, *argn = NULL;
+ char *arg = NULL, *argn = NULL;
verbose = 0;
debug = 0;
}
SSL_CONF_CTX_set_flags(s_cctx,
- SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER);
+ SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
+ SSL_CONF_FLAG_CERTIFICATE |
+ SSL_CONF_FLAG_REQUIRE_PRIVATE);
if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
ERR_print_errors(bio_err);
goto end;
}
SSL_CONF_CTX_set_flags(c_cctx,
- SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT);
+ SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
+ SSL_CONF_FLAG_CERTIFICATE |
+ SSL_CONF_FLAG_REQUIRE_PRIVATE);
if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
ERR_print_errors(bio_err);
goto end;
argv++;
while (argc >= 1) {
- if (!strcmp(*argv, "-F")) {
+ if (strcmp(*argv, "-F") == 0) {
#ifdef OPENSSL_FIPS
fips_mode = 1;
#else
debug = 1;
else if (strcmp(*argv, "-reuse") == 0)
reuse = 1;
- else if (strcmp(*argv, "-dhe1024") == 0) {
+ else if (strcmp(*argv, "-dhe512") == 0) {
#ifndef OPENSSL_NO_DH
- dhe1024 = 1;
+ dhe512 = 1;
#else
fprintf(stderr,
- "ignoring -dhe1024, since I'm compiled without DH\n");
+ "ignoring -dhe512, since I'm compiled without DH\n");
#endif
} else if (strcmp(*argv, "-dhe1024dsa") == 0) {
#ifndef OPENSSL_NO_DH
dhe1024dsa = 1;
#else
fprintf(stderr,
- "ignoring -dhe1024, since I'm compiled without DH\n");
+ "ignoring -dhe1024dsa, since I'm compiled without DH\n");
#endif
} else if (strcmp(*argv, "-no_dhe") == 0)
no_dhe = 1;
no_protocol = 1;
#endif
dtls12 = 1;
+ } else if (strcmp(*argv, "-dtls") == 0) {
+#ifdef OPENSSL_NO_DTLS
+ no_protocol = 1;
+#endif
+ dtls = 1;
} else if (strncmp(*argv, "-num", 4) == 0) {
if (--argc < 1)
goto bad;
bytes *= 1024L;
if (argv[0][i - 1] == 'm')
bytes *= 1024L * 1024L;
- } else if (strcmp(*argv, "-cert") == 0) {
- if (--argc < 1)
- goto bad;
- server_cert = *(++argv);
- } else if (strcmp(*argv, "-s_cert") == 0) {
- if (--argc < 1)
- goto bad;
- server_cert = *(++argv);
- } else if (strcmp(*argv, "-key") == 0) {
- if (--argc < 1)
- goto bad;
- server_key = *(++argv);
- } else if (strcmp(*argv, "-s_key") == 0) {
- if (--argc < 1)
- goto bad;
- server_key = *(++argv);
- } else if (strcmp(*argv, "-c_cert") == 0) {
- if (--argc < 1)
- goto bad;
- client_cert = *(++argv);
- } else if (strcmp(*argv, "-c_key") == 0) {
- if (--argc < 1)
- goto bad;
- client_key = *(++argv);
} else if (strcmp(*argv, "-cipher") == 0) {
if (--argc < 1)
goto bad;
#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv, "-zlib") == 0) {
comp = COMP_ZLIB;
- } else if (strcmp(*argv, "-rle") == 0) {
- comp = COMP_RLE;
}
#endif
else if (strcmp(*argv, "-named_curve") == 0) {
if (--argc < 1)
goto bad;
alpn_expected = *(++argv);
+ } else if (strcmp(*argv, "-server_min_proto") == 0) {
+ if (--argc < 1)
+ goto bad;
+ server_min_proto = *(++argv);
+ } else if (strcmp(*argv, "-server_max_proto") == 0) {
+ if (--argc < 1)
+ goto bad;
+ server_max_proto = *(++argv);
+ } else if (strcmp(*argv, "-client_min_proto") == 0) {
+ if (--argc < 1)
+ goto bad;
+ client_min_proto = *(++argv);
+ } else if (strcmp(*argv, "-client_max_proto") == 0) {
+ if (--argc < 1)
+ goto bad;
+ client_max_proto = *(++argv);
+ } else if (strcmp(*argv, "-should_negotiate") == 0) {
+ if (--argc < 1)
+ goto bad;
+ should_negotiate = *(++argv);
} else {
int rv;
arg = argv[0];
goto end;
}
- if (ssl3 + tls1 + dtls1 + dtls12 > 1) {
- fprintf(stderr, "At most one of -ssl3, -tls1, -dtls1 or -dtls12 should "
+ if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
+ fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
"be requested.\n");
EXIT(1);
}
goto end;
}
- if (!ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
+ if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
- "or add one of -ssl3, -tls1, -dtls1, -dtls12, -reuse\n"
+ "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
if (fips_mode) {
if (!FIPS_mode_set(1)) {
ERR_load_crypto_strings();
- ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE));
+ ERR_print_errors(bio_err);
EXIT(1);
} else
fprintf(stderr, "*** IN FIPS MODE ***\n");
#ifndef OPENSSL_NO_COMP
if (comp == COMP_ZLIB)
cm = COMP_zlib();
- if (comp == COMP_RLE)
- cm = COMP_rle();
if (cm != NULL) {
- if (cm->type != NID_undef) {
+ if (COMP_get_type(cm) != NID_undef) {
if (SSL_COMP_add_compression_method(comp, cm) != 0) {
fprintf(stderr, "Failed to add compression method\n");
ERR_print_errors_fp(stderr);
} else {
fprintf(stderr,
"Warning: %s compression not supported\n",
- (comp == COMP_RLE ? "rle" :
- (comp == COMP_ZLIB ? "zlib" : "unknown")));
+ comp == COMP_ZLIB ? "zlib" : "unknown");
ERR_print_errors_fp(stderr);
}
}
ssl_comp_methods = SSL_COMP_get_compression_methods();
- fprintf(stderr, "Available compression methods:");
- {
- int j, n = sk_SSL_COMP_num(ssl_comp_methods);
- if (n == 0)
- fprintf(stderr, " NONE\n");
- else {
- for (j = 0; j < n; j++) {
- SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
- fprintf(stderr, " %s:%d", c->name, c->id);
- }
- fprintf(stderr, "\n");
+ n = sk_SSL_COMP_num(ssl_comp_methods);
+ if (n) {
+ int j;
+ printf("Available compression methods:");
+ for (j = 0; j < n; j++) {
+ SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
+ printf(" %s:%d", c->name, c->id);
}
+ printf("\n");
}
#endif
meth = DTLSv1_method();
else if (dtls12)
meth = DTLSv1_2_method();
+ else if (dtls)
+ meth = DTLS_method();
else
#endif
if (tls1)
meth = TLSv1_method();
else
- meth = SSLv23_method();
+ meth = TLS_method();
c_ctx = SSL_CTX_new(meth);
s_ctx = SSL_CTX_new(meth);
}
/*
* Since we will use low security ciphersuites and keys for testing set
- * security level to zero.
+ * security level to zero by default. Tests can override this by adding
+ * "@SECLEVEL=n" to the cipher string.
*/
SSL_CTX_set_security_level(c_ctx, 0);
SSL_CTX_set_security_level(s_ctx, 0);
if (cipher != NULL) {
- if(!SSL_CTX_set_cipher_list(c_ctx, cipher)
+ if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
|| !SSL_CTX_set_cipher_list(s_ctx, cipher)) {
ERR_print_errors(bio_err);
goto end;
*/
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
dh = get_dh1024dsa();
- } else if (dhe1024)
- dh = get_dh1024();
- else
+ } else if (dhe512)
dh = get_dh512();
+ else
+ dh = get_dh1024();
SSL_CTX_set_tmp_dh(s_ctx, dh);
DH_free(dh);
}
BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
goto end;
}
- } else
-# ifdef OPENSSL_NO_EC2M
+ } else {
nid = NID_X9_62_prime256v1;
-# else
- nid = NID_sect163r2;
-# endif
+ }
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL) {
(void)no_ecdhe;
#endif
-#ifndef OPENSSL_NO_RSA
- SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
-#endif
-
- if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) {
- ERR_print_errors(bio_err);
- } else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
- (server_key ? server_key :
- server_cert),
- SSL_FILETYPE_PEM)) {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (client_auth) {
- if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
- || !SSL_CTX_use_PrivateKey_file(c_ctx,
- (client_key ? client_key : client_cert),
- SSL_FILETYPE_PEM)) {
- ERR_print_errors(bio_err);
- goto end;
- }
- }
-
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
}
if (client_auth) {
- BIO_printf(bio_err, "client authentication\n");
+ printf("client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
&app_verify_arg);
}
if (server_auth) {
- BIO_printf(bio_err, "server authentication\n");
+ printf("server authentication\n");
SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
&app_verify_arg);
{
int session_id_context = 0;
- if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
+ if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
sizeof session_id_context)) {
ERR_print_errors(bio_err);
goto end;
#endif
if (serverinfo_sct) {
- if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
+ if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding SCT extension\n");
}
}
if (serverinfo_tack) {
- if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
+ if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding TACK extension\n");
}
if (custom_ext) {
- if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
+ if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_cli_add_cb,
NULL, NULL,
custom_ext_0_cli_parse_cb, NULL)
- || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_cli_add_cb,
NULL, NULL,
custom_ext_1_cli_parse_cb, NULL)
- || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_cli_add_cb,
NULL, NULL,
custom_ext_2_cli_parse_cb, NULL)
- || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_cli_add_cb,
NULL, NULL,
custom_ext_3_cli_parse_cb, NULL)
- || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_srv_add_cb,
NULL, NULL,
custom_ext_0_srv_parse_cb, NULL)
- || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_srv_add_cb,
NULL, NULL,
custom_ext_1_srv_parse_cb, NULL)
- || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_srv_add_cb,
NULL, NULL,
custom_ext_2_srv_parse_cb, NULL)
- || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_srv_add_cb,
NULL, NULL,
custom_ext_3_srv_parse_cb, NULL)) {
goto end;
}
/* Returns 0 on success!! */
- if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
+ if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
BIO_printf(bio_err, "Error setting ALPN\n");
OPENSSL_free(alpn);
goto end;
c_ssl = SSL_new(c_ctx);
s_ssl = SSL_new(s_ctx);
-#ifndef OPENSSL_NO_KRB5
- if (c_ssl && c_ssl->kssl_ctx) {
- char localhost[MAXHOSTNAMELEN + 2];
-
- if (gethostname(localhost, sizeof localhost - 1) == 0) {
- localhost[sizeof localhost - 1] = '\0';
- if (strlen(localhost) == sizeof localhost - 1) {
- BIO_printf(bio_err, "localhost name too long\n");
- goto end;
- }
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
- }
- }
-#endif /* OPENSSL_NO_KRB5 */
+ if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
+ goto end;
+ if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
+ goto end;
+ if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
+ goto end;
+ if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
+ goto end;
+ BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
for (i = 0; i < number; i++) {
if (!reuse) {
- if(!SSL_set_session(c_ssl, NULL)) {
+ if (!SSL_set_session(c_ssl, NULL)) {
BIO_printf(bio_err, "Failed to set session\n");
goto end;
}
if (ret) break;
}
+ if (should_negotiate && ret == 0 &&
+ strcmp(should_negotiate, "fail-server") != 0 &&
+ strcmp(should_negotiate, "fail-client") != 0) {
+ int version = protocol_from_string(should_negotiate);
+ if (version < 0) {
+ BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
+ ret = 1;
+ goto err;
+ }
+ if (SSL_version(c_ssl) != version) {
+ BIO_printf(bio_err, "Unxpected version negotiated. "
+ "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
+ ret = 1;
+ goto err;
+ }
+ }
+
if (!verbose) {
print_details(c_ssl, "");
}
- if ((i > 1) || (bytes > 1L))
- BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", i,
- bytes);
if (print_time) {
#ifdef CLOCKS_PER_SEC
/*
#endif
}
+ err:
SSL_free(s_ssl);
SSL_free(c_ssl);
BIO_free(bio_stdout);
-#ifndef OPENSSL_NO_RSA
- free_tmp_rsa();
-#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
+ CONF_modules_unload(1);
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_thread_state(NULL);
BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
int ret = 1;
+ int err_in_client = 0;
+ int err_in_server = 0;
size_t bufsiz = 256; /* small buffer for testing */
if (r < 0) {
if (!BIO_should_retry(c_ssl_bio)) {
fprintf(stderr, "ERROR in CLIENT\n");
+ err_in_client = 1;
goto err;
}
/*
if (r < 0) {
if (!BIO_should_retry(c_ssl_bio)) {
fprintf(stderr, "ERROR in CLIENT\n");
+ err_in_client = 1;
goto err;
}
/*
if (r < 0) {
if (!BIO_should_retry(s_ssl_bio)) {
fprintf(stderr, "ERROR in SERVER\n");
+ err_in_server = 1;
goto err;
}
/* Ignore "BIO_should_retry". */
if (r < 0) {
if (!BIO_should_retry(s_ssl_bio)) {
fprintf(stderr, "ERROR in SERVER\n");
+ err_in_server = 1;
goto err;
}
/* blah, blah */
BIO_free(s_ssl_bio);
BIO_free(c_ssl_bio);
+ if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
+ ret = (err_in_client != 0) ? 0 : 1;
+ else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
+ ret = (err_in_server != 0) ? 0 : 1;
+
return ret;
}
int c_write, s_write;
int do_server = 0, do_client = 0;
int max_frag = 5 * 1024;
+ int err_in_client = 0;
+ int err_in_server = 0;
bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
- if ((cbuf = OPENSSL_malloc(bufsiz)) == NULL)
+ if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL)
goto err;
- if ((sbuf = OPENSSL_malloc(bufsiz)) == NULL)
+ if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL)
goto err;
- memset(cbuf, 0, bufsiz);
- memset(sbuf, 0, bufsiz);
-
c_to_s = BIO_new(BIO_s_mem());
s_to_c = BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL)) {
c_w = 1;
} else {
fprintf(stderr, "ERROR in CLIENT\n");
+ err_in_client = 1;
ERR_print_errors(bio_err);
goto err;
}
c_w = 1;
} else {
fprintf(stderr, "ERROR in CLIENT\n");
+ err_in_client = 1;
ERR_print_errors(bio_err);
goto err;
}
s_w = 1;
} else {
fprintf(stderr, "ERROR in SERVER\n");
+ err_in_server = 1;
ERR_print_errors(bio_err);
goto err;
}
s_w = 1;
} else {
fprintf(stderr, "ERROR in SERVER\n");
+ err_in_server = 1;
ERR_print_errors(bio_err);
goto err;
}
BIO_free(s_to_c);
BIO_free_all(c_bio);
BIO_free_all(s_bio);
+ OPENSSL_free(cbuf);
+ OPENSSL_free(sbuf);
- if (cbuf)
- OPENSSL_free(cbuf);
- if (sbuf)
- OPENSSL_free(sbuf);
+ if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
+ ret = (err_in_client != 0) ? 0 : 1;
+ else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
+ ret = (err_in_server != 0) ? 0 : 1;
return (ret);
}
sizeof buf);
if (s != NULL) {
if (ok)
- fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf);
+ printf("depth=%d %s\n", ctx->error_depth, buf);
else {
fprintf(stderr, "depth=%d error=%d %s\n",
ctx->error_depth, ctx->error, buf);
}
if (ok == 0) {
- fprintf(stderr, "Error string: %s\n",
- X509_verify_cert_error_string(ctx->error));
switch (ctx->error) {
+ default:
+ fprintf(stderr, "Error string: %s\n",
+ X509_verify_cert_error_string(ctx->error));
+ break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- fprintf(stderr, " ... ignored.\n");
ok = 1;
}
}
if (ok == 1) {
X509 *xs = ctx->current_cert;
- if (xs->ex_flags & EXFLAG_PROXY) {
+ if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
get_proxy_auth_ex_data_idx
());
* others.
*/
- fprintf(stderr, " Certificate proxy rights = %*.*s", i,
+ printf(" Certificate proxy rights = %*.*s", i,
i, s);
while (i-- > 0) {
int c = *s++;
}
found_any = 0;
- fprintf(stderr, ", resulting proxy rights = ");
+ printf(", resulting proxy rights = ");
for (i = 0; i < 26; i++)
if (letters[i]) {
- fprintf(stderr, "%c", i + 'A');
+ printf("%c", i + 'A');
found_any = 1;
}
if (!found_any)
- fprintf(stderr, "none");
- fprintf(stderr, "\n");
+ printf("none");
+ printf("\n");
PROXY_CERT_INFO_EXTENSION_free(pci);
}
if (cb_arg->app_verify) {
char *s = NULL, buf[256];
- fprintf(stderr, "In app_verify_callback, allowing cert. ");
- fprintf(stderr, "Arg is: %s\n", cb_arg->string);
- fprintf(stderr,
- "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
+ printf("In app_verify_callback, allowing cert. ");
+ printf("Arg is: %s\n", cb_arg->string);
+ printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
(void *)ctx, (void *)ctx->cert);
if (ctx->cert)
s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256);
if (s != NULL) {
- fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf);
+ printf("cert depth=%d %s\n", ctx->error_depth, buf);
}
return (1);
}
}
}
- fprintf(stderr, " Initial proxy rights = ");
+ printf(" Initial proxy rights = ");
for (i = 0; i < 26; i++)
if (letters[i]) {
- fprintf(stderr, "%c", i + 'A');
+ printf("%c", i + 'A');
found_any = 1;
}
if (!found_any)
- fprintf(stderr, "none");
- fprintf(stderr, "\n");
+ printf("none");
+ printf("\n");
X509_STORE_CTX_set_ex_data(ctx,
get_proxy_auth_ex_data_idx(), letters);
}
if (!ok)
fprintf(stderr,
- "Proxy rights check with condition '%s' proved invalid\n",
+ "Proxy rights check with condition '%s' invalid\n",
cb_arg->proxy_cond);
else
- fprintf(stderr,
- "Proxy rights check with condition '%s' proved valid\n",
+ printf("Proxy rights check with condition '%s' ok\n",
cb_arg->proxy_cond);
}
}
return (ok);
}
-#ifndef OPENSSL_NO_RSA
-static RSA *rsa_tmp = NULL;
-
-static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength)
-{
- BIGNUM *bn = NULL;
- if (rsa_tmp == NULL) {
- bn = BN_new();
- rsa_tmp = RSA_new();
- if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
- BIO_printf(bio_err, "Memory error...");
- goto end;
- }
- BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength);
- (void)BIO_flush(bio_err);
- if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
- BIO_printf(bio_err, "Error generating key.");
- RSA_free(rsa_tmp);
- rsa_tmp = NULL;
- }
- end:
- BIO_printf(bio_err, "\n");
- (void)BIO_flush(bio_err);
- }
- if (bn)
- BN_free(bn);
- return (rsa_tmp);
-}
-
-static void free_tmp_rsa(void)
-{
- RSA_free(rsa_tmp);
- rsa_tmp = NULL;
-}
-#endif
-
#ifndef OPENSSL_NO_DH
/*-
* These DH parameters have been generated as follows:
if (!ret) {
BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
pskkey);
- if (bn)
- BN_free(bn);
+ BN_free(bn);
return 0;
}
if (BN_num_bytes(bn) > (int)max_psk_len) {
const SSL_CIPHER *ci, *tci = NULL;
#ifndef OPENSSL_NO_SSL3
- fprintf(stderr, "testing SSLv3 cipher list order: ");
meth = SSLv3_method();
tci = NULL;
while ((ci = meth->get_cipher(i++)) != NULL) {
if (tci != NULL)
if (ci->id >= tci->id) {
- fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ fprintf(stderr, "testing SSLv3 cipher list order: ");
+ fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id);
return 0;
}
tci = ci;
}
- fprintf(stderr, "ok\n");
#endif
- fprintf(stderr, "testing TLSv1 cipher list order: ");
meth = TLSv1_method();
tci = NULL;
while ((ci = meth->get_cipher(i++)) != NULL) {
if (tci != NULL)
if (ci->id >= tci->id) {
- fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ fprintf(stderr, "testing TLSv1 cipher list order: ");
+ fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id);
return 0;
}
tci = ci;
}
- fprintf(stderr, "ok\n");
return 1;
}